Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Tax Accounting for the New Partnership Audit RulesNATE SMITH, CBIZ NATIONAL TAX OFFICE MAY 18, 2018
Speaker
Nate Smith is a Director in the CBIZ National Tax Office, bringing over 20 years of
experience in public accounting to provide technical support and strategic
solutions for the firm’s tax practice. Nate leads the development of practice aids
and tactical approaches used in responding to industry and Federal tax
developments in a variety of subject matter areas. He also consults nationally to
facilitate delivery of client service opportunities and solutions, contributes as an
author and editor to the firm's tax thought leadership publications and assists with
the development and implementation of national tax policies and procedures.
727.572.1400 • [email protected]
Nate Smith, CPADirector, CBIZ MHM, LLC
CBIZ, Inc.Tax Accounting for the New Partnership Audit Rules2
Topics for Today
Overview of new partnership audit rules
Example: Net increase from exam; one partner leaves
Accounting for adjustments under ASC 740
3 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Overview of New Rules
Overview of New Partnership Audit Rules
IRS facing significant challenges in conducting audits under existing TEFRA rules Identification of Tax Matters Partner
Administration of required notice and participation rights
Processing of examination adjustments for ultimate partners
Bipartisan Budget Act of 2015 (“BBA”) signed into law on November 2, 2015
New audit rules generally apply to partnership tax years beginning after December 31, 2017
Many strategies to consider under new rules; specific concerns of partners effectively require every partnership and LLC to amend its partnership/member agreement
5 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Overview of New Partnership Audit Rules
New rules fundamentally change the IRS examination and tax collection process for partnerships Underpaid tax, interest and penalties resulting from
unfavorable exam adjustments (“imputed underpayment”) assessed against and collected from partnership itself
Payable by partnership during the “adjustment year,” which is the year when “final partnership adjustment” IRS notice is mailed; reported on partnership’s adjustment year tax filing
Exam adjustments not resulting in imputed underpayment (favorable adjustments) do not produce a refund; instead are reported as income adjustments in partnership’s adjustment year tax filing
6 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Overview of New Partnership Audit Rules
Eligible partnerships provided with annual election to “opt out” of new rules. Eligible partnerships: Cannot issue more than 100 “statements” (Schedules K-1)
Cannot have a partner that is a partnership or a trust
Under proposed regulations, cannot have a partner that is a disregarded entity, nominee, or non-partner’s estate
Can have foreign partners, if such partners have TIN, and would be treated as C Corporations if they were domestic
Under proposed regulations, shareholders of S corporation partners count toward 100-statement limit
7 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Does the partnership always want to opt out? How will it ensure ineligible partners are not admitted?
Overview of New Partnership Audit Rules
Tax Matters Partner eliminated
Partnership Representative (“PR”) installed and given exclusive authority to bind the partnership and its partners to strategies employed during audit PR can be any person (partner or non-partner), as long as
the person has a “substantial presence in the United States”
Partners have no rights to participate in audit, receive notice of key audit stages, or contest audit results
Under proposed regulations, PR can be entity, as long as U.S. individual also is identified to act for entity
IRS can name a PR if a designation is not in effect
8 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Do partners want separately-negotiated rights to notification and participation?
Overview of New Partnership Audit Rules
An imputed underpayment is calculated by netting exam adjustments of similar character, and multiplying the netted positive amounts by the highest rate of tax in effect (for any type of taxpayer) for the year to which the adjustment relates Adjustments to partnership’s credit items then increase or
decrease the tentative calculation
Remember, netted non-positive amounts reported as income adjustments in partnership’s adjustment year tax filing
Decrease side of reallocations and recharacterizations do not net; treated as separate non-positive adjustments (picked up in adjustment year)
9 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Overview of New Partnership Audit Rules
PR can request alternative to the default imputed underpayment calculation, using “modification” procedures, or using a “push-out” election Modification procedures and push-out elections operate to
reduce or eliminate a portion or all of the partnership’s liability for an imputed underpayment Under technical corrections legislation, modifications or
push-out elections may be requested even if no portion of the exam adjustment results in an imputed underpayment, so if the adjustment is purely non-positive (favorable), all of these options are still available (big change from proposed regs)
The PR is the only person with IRS authority to choose a modification procedure or to make a push-out election
10 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Overview of New Partnership Audit Rules
Modification procedures: Amended returns Amended returns for “reviewed year” (the year pertaining to
the exam adjustment) filed by some or all partners
Amended returns do not have to be filed by all partners, or any partners
However, in the case of a reallocation adjustments, all affected partners must file amended returns
Default imputed underpayment does not include exam adjustments taken into account on amended returns
11 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
How will former partners be bound by this when PR determines it is in the current partners’ interest?
Overview of New Partnership Audit Rules
Modification procedures: Amended returns (cont’d) Amended returns must also be filed for “intervening years” if
affected by adjustment
Amended returns can be filed by “indirect partners” (e.g., owners of S Corporation partners and Partnership partners) to satisfy modification criteria for adjustments allocable to pass-through partners
Under proposed regulations, pass-through partners (e.g., partnership partners and S corporation partners) can elect to file an amended return that calculates an entity-level tax using a safe-harbor rate equal to the maximum rate for any type of partner, instead of providing for amended returns from indirect partners
12 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Overview of New Partnership Audit Rules
Modification procedures: Amended returns (cont’d) If desired, the partners can simply pay the tax that would be
due with amended returns (without actually filing amended returns), make binding changes to their tax attributes for subsequent years, and provide the IRS information to substantiate that the tax was correctly computed and paid
This has the same effect as amended returns, and is referred to as the “pull-in” procedure
13 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Overview of New Partnership Audit Rules
Modification Procedures: Rate Modification Rate of tax used to compute imputed underpayment is
reduced when shown that the highest tax rate for particular partners is lower than the highest rate for any partner
C Corporations have a maximum rate of 21%
Individuals have a maximum rate of 20% for the portion of adjustments allocable to qualified dividend income or long-term capital gains
S Corporation partners considered to be individuals
Under proposed regulations, partnership partners are eligible to substantiate rate modification to the extent adjustments are allocable to its own partners who have the above criteria
14 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Overview of New Partnership Audit Rules
Modification Procedures: Tax-exempt Partners Rate of tax used to compute imputed underpayment is
reduced when shown it is allocable to a “tax-exempt” partner as defined under IRC §168(h)(2)
Under proposed regulations, the tax-exempt partner must also demonstrate its adjustment is not subject to unrelated business income tax
15 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Is there a procedure to provide for dynamic data sharing so PR can have timely access to this data?
Overview of New Partnership Audit Rules
Push-out election In lieu of imputed underpayment, partnership elects to have
the exam adjustment “pushed out” to all reviewed yearpartners affected by adjustment
No amended returns filed; reviewed year returns recomputed with adjustment to identify tax increase
Tax increase payable by reviewed year partners during the year that the adjustments are reported
Interest on underpaid tax includes a 2% surcharge
Non-positive adjustments result in tax decrease
Non-positive (favorable) adjustments can be taken into account as a result of technical corrections legislation (big change from proposed regulations)
16 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Overview of New Partnership Audit Rules
Push-out election (cont’d) Corollary adjustments to “intervening years” also required
Exam adjustments are permitted under technical corrections legislation to push out to indirect partners (e.g., owners of partnership partners and S corporation partners)
Proposed regulations allow for any partner (including a pass-through partner) impacted by push-out election to elect a “safe harbor” tax calculation, which permits the partner to simply use the maximum rate of tax with respect to a push out adjustment, and removes the need to calculate intervening year adjustments
17 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Overview of New Partnership Audit Rules
Other modifications Proposed regulations provide for additional types of
modification procedures to default imputed underpayment
Publicly-traded partnerships demonstrating a net decrease to passive activity losses
Adjustment relates to “deficiency dividends” of a regulated investment company or a real estate investment trust
Adjustment taken into account by a partner in a closing agreement with IRS (similar effect to amended return)
18 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Example
Net increase from exam; one partner leaves
Ex.: Net increase from exam; one partner leaves
Partnership “P” is formed during Year 1 by Partners “A” and “B,” with agreement to share 50/50
Assume the beginning tax basis of A’s and B’s partnership interest is $0 each
P has Year 1 income of $1,000, allocated 50/50 to A and B
P has Year 2 income of $0, and during Year 2, A sells her entire interest in P to new Partner “C” for $600 A recognizes $100 gain on sale (the difference between her
Year 2 sales proceeds and basis of $500 that results from her Year 1 and Year 2 allocations from P)
P’s Year 1 tax return is audited during Year 3, where Year 1 income is re-determined to be $1,200 instead of $1,000
20 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Ex.: Net increase from exam; one partner leaves
Under the default imputed underpayment rule, tax on the $200 unfavorable adjustment is paid by P during Year 3 B and C economically bear the cost of the imputed
underpayment, which is “unfair” to C
Under the “push-out” election, the $200 unfavorable adjustment is pushed out to A and B, who re-compute their Year 1 taxes to account for the adjustment, and then report the resulting tax on their Year 3 tax returns “Fairer” to C, in that A remains responsible for the tax
increase attributable to A
A and B have no choice to comply with effects of election
A and B are subject to the 2% interest surcharge
BUT, what about “intervening year” adjustments?
21 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Ex.: Net increase from exam; one partner leaves
Under the “push-out” election, A must include “intervening year” adjustments Once A makes her $100 Year 1 push-out adjustment, her
basis in P at the end of Year 2 is increased from $500 to $600. As a result, A’s Year 2 gain on sale to C is reduced from $100 to $0.
A’s Year 2 tax decrease (resulting from this gain reduction) is taken into account in determining the final amount A must pay with her Year 3 tax return
Technical corrections legislation solved a major problem here, since previously the decrease adjustment could not be taken into account and would have whipsawed Partner A
22 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Ex.: Net increase from exam; one partner leaves
Under the amended return option, some or all of P’s Year 3 imputed underpayment can be replaced with tax paid by A and/or B on amended returns to be filed for Year 1
Assuming A uses the amended return option, she will prepare a Year 1 amended tax return and pay the tax resulting from the $100 exam adjustment allocable to A
A’s Year 2 taxes can be re-determined under the amended return option, so A can claim a refund for the tax paid on the Year 2 gain of $100 that is re-determined to be $0 “Fair” to both A and C, but comes with the administrative
burden of filing returns
Also, remember that A and B do not have to cooperate
23 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Ex.: Net increase from exam; one partner leaves
Practical concerns Who will help the Partnership Representative make the
appropriate choice?
What if A is subject to different tax rates on ordinary income and capital gains? A will not care much for the amended return option in that case, and would prefer the default rule (which hurts C). Note that the partnership must rely on A’s cooperation to take advantage of this modification procedure (the partnership cannot force A to amend, unless there is a previous contractual consent). On the other hand, the partnership could make a push-out election, without a need for A’s consent.
Will A have recourse against P if A is not consulted on choice between “push-out” election or amended return option?
These contingencies must be addressed in a revised partnership agreement
24 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
Accounting for Adjustments Under ASC 740
The new partnership audit rules provide that tax payments associated with examination adjustments are payable by the partnership itself, unless alternative actions are taken by the partnership representative This is an entity-level payment obligation, despite the fact
that a partnership is otherwise a pass-through entity for federal income tax purposes
The entity-level payment obligation resulting from the default rule raises new accounting considerations for a partnership, which otherwise refers to accounting guidance for pass-through entities Does ASC 740 govern accounting for the entity-level
payment obligation of a partnership?
26 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
The scope of potential tax payments to be made at the entity level includes: Tax resulting from examination adjustments discovered
during an IRS audit Tax resulting from administrative adjustment requests filed
by the partnership (the equivalent to an amended return for partnerships subject to the new audit rules) Interest and penalties on any entity-level tax payment
The potential for payment under any of these events indicates that (prior to these occurrences) the partnership has uncertain tax positions Does this extend the recognition and measurement analysis
of ASC 740-10-25-5 (aka “FIN 48”) to a partnership’s federal tax positions?
27 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
The partnership representative can restore the traditional application of pass-through taxation for examination adjustments by: Electing out of the new partnership audit rules, if eligible Making an amended return modification request (or a pull-in
modification request) Making a push-out election
This adds a conceptual wrinkle to the existing question about the proper accounting for entity-level payments, because any of these actions by the partnership representative are optional Must one assume the default rule because of this optionality? If not, what factors could overcome this optionality for financial
accounting purposes? Before asking these questions, it must first be determined whether
ASC 740 applies to entity-level payments under the default rule
28 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
Basic accounting guidelines for pass-through entities (PTE): Generally, no entity-level income tax accounting because the
PTE’s owners are taxed on their respective shares of the PTE’s taxable income (ASC 740-10-30-2, ASC 740-10-40-6)
Accounting rules for uncertain tax positions generally apply to the PTE (ASC 740-10-15-2AA)
Regarding a taxable entity’s investment in a PTE, the widely-accepted view is that the taxable entity’s investment in the PTE is treated as the unit of account for ASC 740 purposes (rather than the taxable entity’s proportionate share in each of the PTE’s assets/liabilities) Nevertheless, a taxable entity’s current taxes on its share of
income from a PTE, as well as the deferred taxes on its investment in the PTE, remain subject to the basic recognition and measurement criteria of ASC 740-10-25-5 (FIN 48), which requires consideration of the taxable entity’s share of uncertain tax positions within the PTE
29 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
The accounting guidance of ASC 740 applies only to taxes based on income (ASC 740-10-15-3)
Section 6221(a) of the Internal Revenue Code provides that tax on exam adjustments is assessed and collected at the partnership level, notwithstanding modification requested by the partnership representative Section 6232(a) provides that the assessment and
collection occurs in the same manner as if it was a tax imposed under “subtitle A” (income tax)
30 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
What to make of the partnership’s entity level payment
(or potential FIN 48 liability for payment)
Accounting for Adjustments Under ASC 740
Although the law provides that payment in this case is “assessed and collected” at the entity-level in a manner similar to income taxes, this does not clearly answer the accounting question as to whether the payment is a tax based on income “Assessed and collected” seem to speak to a legally enforceable
payment obligation, but do not exactly insinuate that the payment is a tax liability based on the partnership’s income
In Baltic v. Com’r, 129 T.C. 19 (2007), the Court noted that Section 6203 defines “assessment” as “the formal recording of a taxpayer’s tax liability”
Many other courts noted similarly (see for example, Miller v. U.S., 763 F. Supp. [1534] at 1543 (N.D. Cal. 1991))
In an effort to answer the question, the Regulations and other sources should also be reviewed
31 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
In the preamble to June 2017 Proposed Regulations, it is stated that “the partnership is liable for an imputed underpayment based on the adjustments made at the partnership level” (NPRM REG-136118-15)
In the preamble to December 2017 Proposed Regulations (dealing with push-out elections), the IRS stated that: “Partnerships, as such, are not subject to tax under chapter 1 of
the Code . . .”
. . . and with respect to assessment and collection from the partners, went on to say . . .
“The enactment of the centralized partnership audit regime changed this paradigm by introducing the imputed underpayment, an entity-level liability . . . that is assessed and collected at the partnership level, rather than being assessed and collected from the ultimate partners.” (NPRM REG-120232-17; REG-120233-17)
32 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
The 2015 explanation of the new rules provided by the Joint Committee on Taxation address this issue directly, where they state in their “Blue Book” report: “Under the centralized system, the flowthrough nature of the
partnership under subchapter K of the Code is unchanged, but the partnership is treated as a point of collection of underpayments that would otherwise be the responsibility of partners.” (JCS-1-16, at 79)
As articulated here, the partnership’s payment is regarded as a collection mechanism with regard to the tax responsibility of the partners, lending strong credence to the notion that the payment is not a tax on the partnership’s income Although this is directly on point, the authoritative weight of the
Blue Book report is applicable only when the statute is ambiguous (Caltex Oil Venture v. Com’r, 138 T.C. 18, 34 (2012); Burlington N.R.R. v. Okla. Tax Comm’n, 481 US 454, 461)
33 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
Recap regarding the nature of the payment as a tax based on income The law only states that a payment is “assessed and
collected” at the partnership level
The December 2017 proposed regulations are somewhat helpful in re-stating that partnerships are not subject to tax, as they went on to distinguish changes relating to liabilities that are “assessed and collected” at the partnership level
The Joint Committee on Taxation’s report is very helpful in answering this question, and although its authoritative weight is much less than that of the Code and Regulations, it can be considered to the extent the Code and Regulations are ambiguous
34 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
Through examples, ASC 740 touches on some broad concepts involved with determining whether a payment is a tax based on income
Example at ASC 740-10-55-228 In a situation involving an S corporation where laws and
regulations permit the S corporation and its shareholders to be held jointly and severally liable for payment of income taxes, and where those laws and regulations also indicate that the S corporation’s payment is made on behalf of its shareholders, the S corporation’s payment is attributed to its shareholders. Hence, the payment is treated as a transaction with the shareholders.
35 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
Example at ASC 740-10-55-228, cont’d On the first condition in the example, Section 6232(f)
provides that a partnership’s failure to satisfy the entity-level payment obligation allows the IRS to pursue payment from each partner However, this is not a “joint and several” payment right, in
that the IRS cannot pursue all of the payment from any of the parties involved The IRS must first pursue payment from the partnership,
and only after the partnership fails to pay by a specified date, may the IRS pursue payment from the partners Even if the partners become liable, they are each liable
only on their proportionate shares of the payment, so there is no joint and several payment right for the IRS here
36 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
Example at ASC 740-10-55-228, cont’d On the second condition in the example, the Joint
Committee on Taxation’s Blue Book report indicates that the partnership’s payments are made on behalf of the partners, however, federal laws and regulations do not indicate this
Accordingly, the example at ASC 740-10-55-228 is not analogous to the new partnership audit rules and does not answer the question
37 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
Example at ASC 740-10-55-226 In a situation where tax is assessed on a partnership and
where partners are permitted to file personal returns and claim a pro rata share of the partnership’s payment as a credit, the partnership’s payment is attributed to the partners regardless of whether they file, and regardless of any reimbursement arrangement from the partners. Hence, the payment is treated as a transaction with the partners.
This example is not analogous to the new partnership audit rules either, because the federal laws and regulations do not permit partners to claim credits on personal tax filings based on the partnership’s entity-level payment
As such, this example does not answer the question
38 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
Example at ASC 740-10-55-227 In the previous situation, where no provision is made for the
partners to file personal returns and where laws and regulations do not indicate that the partnership’s payments are made on behalf of the partners, the payment is attributed to the partnership and is subject to ASC 740 This example is the closest to the new partnership audit
rules, because on the first condition, provisions do broadly exist for partners to file personal returns On the other condition in the example, again the Blue Book
report indicates that the partnership’s payments are made on behalf of the partners, however, federal laws and regulations do not indicate this As such, this example does not answer the question directly,
but it is closer than the others
39 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
In March 2018, the AICPA posted “Q&A Section 7200” (item .09) to state its position for this question
In the AICPA guidance, they provide as follows: “[T]he collection of tax from the partnership is merely an
administrative convenience on the part of the government to collect the underpayment of income taxes from the partners in previous periods. Accordingly, the income taxes on partnership income, regardless of when paid, should continue to be attributed to the partners and, therefore, the partnership would not apply the FASB ASC 740 accounting model . . .”
The AICPA guidance then states: “[A] payment made by the partnership under the IRS partnership
audit regime should be treated as a distribution from the partnership to the partners in the financial statements of the partnership.”
40 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
The AICPA guidance echoes similar views from other major accounting firms and from the Joint Committee on Taxation’s Blue Book, and reflects the notion that the partnership’s payment is for the benefit of its partners, and does not constitute a tax on partnership income
Accordingly, the questions about whether the partnership representative takes certain actions to modify or eliminate the entity-level payment liability are irrelevant in concluding that ASC 740 does not apply to potential liabilities under the new partnership audit rules
41 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
Accounting for Adjustments Under ASC 740
Because ASC 740 does not apply here, accounting for the liability is treated as a transaction with the partners (as a distribution for financial accounting purposes)
The timing of such liability depends on when the partnership is obligated to pay This generally is when the partnership declares a
distribution
In this case, a partnership likely should consider accounting guidance under ASC 450 to determine when its distribution (obligation to pay) is effectively declared ASC 450 standards require consideration of liabilities that
are probable and reasonably estimable
42 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
?
QUESTIONS
?
??
43 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.
44
SPEAKER
CYBERSECURITY: GOVERNANCE, THREATSAND RISK MANAGEMENT
Steven J. Ursillo, Jr.Partner, National Leader of Information Assurance & Cybersecurity [email protected]
Steven J. Ursillo, Jr.Certifications: CPA, CGMA, CITP, CIA, CFE,
CISA, CISM, CISSP, CGEIT, CRISC, CEH, CCSFP
Partner, National Leader of Information Assurance & Cybersecurity
Meet the Speaker
Steve specializes in risk management, internal control over financial reporting, information system security, privacy, cyber fraud prevention and detection, security and privacy governance, and IT assurance services.
With more than 20 years of experience, Steve provides a variety of IT audit and security services for his clients across multiple industries. His background and knowledge with risk assurance and advisory engagements include information security readiness, cybersecurity, security and privacy attestation services, third‐party assurance including ISO 27001/PCI/NIST/HITRUST/HIPAA HITECH Security Assessments, cyber risk assessments, vendor risk assessments, disaster recover reviews, privacy reviews, Service Organizational Control (SOC) reporting including SOC 1, 2 & 3, ISAE 3402 as well asother types of attestations and readiness assessments. In the area of information security, Steve’s experience ranges from security consulting and implementation to security assessments involving network and attack and penetration testing.
CybersecurityWhat You Can Do
Focus and Objectives
Today’s Learning
Objectives
Facilitate a collaborative discussion to increase awareness around cyber security risks and threats
Facilitate a collaborative discussion around the cybersecurity risk mitigation tactics
Facilitate a collaborative discussion around senior management and board responsibilities pertaining to information security governance and incident response
Facilitate a discussion on other technology trends and related security considerations.
Cybersecurity Threat Landscape
Ransomware use is growing exponentially (RAAS)
Ransomware attacks evolve from simple malware, persistent attacks to destructive attacks.
IoT devices (smart appliances, smart entertainment) create a new attack vector for DDoS and malware attacks
Financial attack techniques are becoming more sophisticated
Attacks are continuing to be more targeted
Attackers are distributing malware for crypto currency mining
As cloud service usage proliferates, the amount of sensitive data on the public cloud increases
Cyber Threat LandscapeWhat are the trends?
6
Cyber espionage and warfare is on the rise
Hacktivism causes worldwide political subversion and sabotage
Phishing attacks will continue to thrive across social media platforms
Fake ads and ad wars will continue to escalate
Web applications are evolving at a faster rate than web security tools
Fileless malware leaves no evidence to be found during investigations
Cyber attackers are utilizing Artificial Intelligence (AI)
Cyber Threat LandscapeWhat are the trends? (Cont.)
7
How Much Technology Is Too Much?
8
How Much Technology Is Too Much?
9
Average cost of U.S. cybercrime rises to $17 million in 2016 ($15 million in 2015)
Only 39% of companies have implemented advanced data backup and recovery processes – reducing the average cost of a cybercrime by $2 million
– CIO Insight, 2017
Cost of Cybercrime
10
Cost Per Record
Ponemon Institute's 2017
Global Cost of Data Breach Study
$141 in 2017 - cost per record average ($225 average in US)
$380 cost per record average (healthcare)
$245 cost per record average (financial services)
Breach Impact
11
State Security Breach Notification Laws:
All 50 states as of 3/29/18 have enacted legislation for notice to individuals for breach of PII
The District of Columbia, Guam, Puerto Rico and the Virgin Islands
Customer / Vendor Contractual breach notifications requirements
Breach Impact
12
Federal Breach Notification Requirements: Privacy Act, the Federal Information
Security Management Act, Office of Management and Budget Guidance, the Veterans Affairs Information Security Act, HIPPA, the Health Information Technology for Economic and Clinical Health Act, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, the Fair Credit Reporting Act.
Breach Impact
13
Organized Crime/Terrorists
State Affiliated/Nation State
Hacktivists/Activist
Insiders…
Sources of Attacks
Insiders:
Employee
Disgruntled Employee
Past Employee
Hackers/Crackers
Unaffiliated
Competitor (Espionage)
Terrorist
Vendor / Customer (Trusted 3rd Party)
Sources of Attacks (continued)
Loss of private, confidential, customer data
System availability or service levels
Third party dependencies (vendor management)
Data breach (lack of incident response)
Spear phishing attacks
Attack sophistication and evolution
Data management
What Keeps the Board, Executive Management, and Audit Committees Up at Night?
Strategy, Compliance, Operational, Financial, Reputational Risk considerations
Lawsuits and legal implications
Proper risk mitigation
Negative publicity
Are we doing the right thing?
What Keeps the Board, Executive Management, and Audit Committees Up at Night? (continued)
Types of Information Stolen Stolen
Personal (ePHI, PHI, PII) Confidential (1st and 3rd Party) Credentials and System Secrets, Classified Controlled Unclassified
Information (CUI) Covered Defense Information
(CDI) Source Code Copyrighted, Proprietary Financial
18
Compromise to Detection
19
Mandiant M-Trends:
47% of victims discovered the breach internally
53% of victims were notified by an external entity
The median global time from compromise to detection dropped from 146 days (2015) to 99 days (2016)
Detection of Compromise
Threat activity increased in two key industries, financial services (15% to 19%) and education (3% to 8%)
Attacks are becoming more sophisticated – lines between nation-state actors and financial threat actors are becoming blurred
Detection of Compromise (continued)
NIST Cyber Security Framework
22
Phishing/Spear-Phishing
Malware, ransomware and social engineering
Client side threats, risks
Phishing/spear-phishing
Corporate account takeover and fraud
Insecure web application threats and risks
InfoSec Risk & Threat Overview
Physical & environmental threats, risks
Network threats and risks
HR and sourcing threats and risks
Cloud and vendor (third-party) threats and risks
Spam level reduced, campaigns are lasting longer
GreatHorn 2017 Spear Phishing Report
91% of phishing attacks are display name spoofs
Direct spoofs were 8% and domain lookalikes 1%
Highly targeted spear phishing, exploiting trust and pressure tactics
Malware embedded in attachments and documents
Continues to be a very effective method for exploit/payload delivery
Phishing/Spear Phishing
24
Examples of Phishing Attempts
25
Email Address does not match the sender
Examples of Phishing Attempts
Examples of Phishing Attempts
27
Be Aware!
28
Valid Site/Certificate for Salesforce
Email Address does not match the Sender:
Potentially unsafe web site
Examples of Phishing Attempts
29
Unfortunately, it only takes….
Emails that contain links even from known friends/family/coworkers
The link does not point to the actual site presented
The site is not secure
Emails that contain a download (picture, file, document, etc.)
Emails that create a scenario where your ‘friend’ is stuck in a country and needs money to get home, won the lottery, etc.
Techniques to Identify Phishing Attempts
A message with a response to a question you never had
Validate the message came from a legitimate sender by verifying the email address
A message explaining there is a problem and some information needs to be verified by clicking on a link
The link might look legitimate (all the right logos, content, etc.)
Convey a sense of urgency or warning if you fail to act soon
Techniques to Identify Phishing Attempts (Cont.)
What To Do
Slow down
•If a sense or urgency is conveyed be skeptical; never let their sense of urgency influence your review of the request
Research
•Do some research on the company or service. Use search engines to navigate to the company’s website
Reject any requests for assistance
•Charity donation, restore credit scores, refinance a home, answer your question, etc.
Control where you navigate
•Use search engines to find the web page rather then clicking directly within the email
33
A form of malware that locks or encrypts a victim’s files and demands a ransom payment in order to restore access to the files
Typically spread via phishing emails or distributed once a system is compromised
Attacks may demand electronic payment such as Bitcoin Some attacks increase the stakes as time passes,
demanding an increased payment and threatening to delete files from the system
The average ransom payment amount is $1,077 Prominent ransomware attacks: WannaCry, NotPetya,
CryptoWall, CryptoLocker, Locky, TeslaCrypt, Cryakl, Crowti, Fakebsod, WannaCry
What is Ransomware?
34
WannaCry
35
Back up your data and keep a recent backup off-site, access controlled and logically separated
Network and host segmentation, zero trust Be suspicious of unsolicited attachments Update and customize anti-spam management
protection Use anti-malware, web proxy and browser popup
protections Comprehensive malware scans including
compressed and archived files
Ransomware Prevention
Use strong passwords and multifactor authentication Disable file sharing, remote management and desktop services, wireless
communication, etc. unless needed Restrict executable from running in known malware locations Enable the showing of file extensions Restrict known address used in campaigns (Tor) Don’t use administrative accounts for non-administrative tasks If infected, disconnect from the network and external media right away. Employee training and awareness
Ransomware Prevention (Continued)
Targeted phishing campaigns A new breed of social engineering Malvertising Malicious tiny URL’s Exploitation of trust Abuse of the inherent use of social media (information sharing)
PREVENTION: Don’t accept everyone in your social circle Training and awareness Scrutinize all mobile downloads and app permissions Implement a social media policy Restrict the use of social media from trusted platforms
Social Media Attacks
38
Corporate Account Takeover
• Attacks perpetrated to electronic banking technology
• Distributed like any other malware
• Corporate and personal targets
• Elaborate fraud using in depth knowledge
- technology, business and financial
39
EFT Risk Assessment EFT Transaction Workflow
Documentation Segregation of Duty (Initiation
and Approval) Dedicated EFT Trusted Systems Multi‐factor Authentication
with Independent Mechanism (Token, FOB, SMS, Secure ID,
etc.)
Corporate Account Theft Mitigation
Logging, Monitoring and Reporting (systems, traffic and accounts)
Daily EFT Reconciliations Dedicated Clearing Accounts Positive Pay and Debit Blocks General IT Security and Controls
(Firewall, malware and AV, patch management, etc.)
http://www.journalofaccountancy.com/Issues/2010/Oct/20092174.htm
Cloud and Vendor Threats and Risks
Traditional risks apply
Cloud technical risks
Data access / segregation
Insecure APIs
Malicious Insiders [ Subcontractors]
Shared Technology Vulnerabilities
Maintenance of secure infrastructure
Cloud governance and legal risks
Lack of control and transparency
Lack of expertise or structure around vendor mgt
Lack of data management procedures
Service level disruptions
41
Cloud and Vendor Risk Mitigation
Cloud (system) functional risk assessment
Structured vendor management program
Identify and manage cloud
service providers
Identify scope of services
Identify data management requirements
Service level agreements
Restrict to only authorized
providers and services
Understanding of each parties roles
and responsibilities
Backup and restoration strategies
42
System and Organization Control Reporting (SOC) SSAE 18
43
SOC 1 SOC 2 SOC 3
SSAE 18 (for all reports issued on or after May 1, 2018
Restricted Use Report (Type I or Type II)
Generally a Restricted Use Report(Type I or Type II)
General Use Report
Controls over Financial Reporting (ICFR)
Trust Service CriteriaTSP Version 100TSP Version 100ATSP Version 100A‐1
SSAE 18(105, 320 & 205)
SSAE 18105, 205 – SOC2 (exam)
SSAE 18105, 205 – SOC2 (exam)
44
SOC Suite of ServicesReporting
LevelReport Category Intended Audience Benefit
Entity SOC for Cybersecurity
Board
Management
Investor
Regulator
Analysts
Transparency regarding the entity’s cyber risk
management
Service
Provider
SOC2
(New guide coming)
Business unit management
Vendor risk management
Accounting / internal audit
CISO
BCP
Transparency for the services provided and
provides assurance over the selected principles.
with detail
Service
Provider
SOC 1
(Recently released
guide)
Use of these reports is restricted to the management of
the service organization, user entities, and user auditors.
Transparency for the services provided and
provides assurance over internal control over
financial reporting. with detail
Supply
ChainNew guide coming
Business unit management
Vendor risk management
Accounting / internal audit
CISO
BCP
Transparency for the services provided and
provides assurance over the selected principles.
with detail
45
CIS Critical Security Controls (formerly SANS Top 20)
•Inventory of Authorized and Unauthorized Hardware DevicesCSC 1
•Inventory of Authorized and Unauthorized SoftwareCSC 2
•Continuous Vulnerability Assessment and RemediationCSC 3
•Controlled Use of Administrative PrivilegesCSC 4•Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and ServersCSC 5
•Maintenance, Monitoring, and Analysis of Audit LogsCSC 6
•Email and Web Browser ProtectionsCSC 7
46
CIS Critical Security Controls (Continued) (formerly SANS Top 20)
•Malware DefensesCSC 8
•Limitation and Control of Network Ports, Protocols, and ServicesCSC 9
•Data Recovery CapabilityCSC 10
•Secure Configurations for Network Devices such as Firewalls, Routers, and SwitchesCSC 11
•Boundary DefensesCSC 12
•Data ProtectionCSC 13
•Controlled Access Based on the Need to KnowCSC 14
47
CIS Critical Security Controls (Continued) (formerly SANS Top 20)
•Wireless Access ControlCSC 15
•Account Monitoring and ControlCSC 16
•Security Skills Assessment and Appropriate Training to Fill GapsCSC 17
•Application Software SecurityCSC 18
•Incident Response and ManagementCSC 19•Penetration Tests and Red Team Exercises CSC 20
“CIS Controls are especially relevant because they are updated by cyber experts based on actual attack data pulled from a variety of public and private threat sources.”
Cybersecurity Governance
Cybersecurity Governance
Board of Directors
Technology or IT
Steering Committee
Risk committee
Audit committee
Organization governance models will vary depending on size:
49
Communication
Needs to be appropriate for the level of organizational governance (know your audience)
Cybersecurity risk needs to be presented as a business risk
Strategy, Compliance, Operational, Financial, Reputational Risks
Cybersecurity Governance
Increased demand for transparency around the Cybersecurity Governance program, suitable measurement criteria and results
Cybersecurity Governance
51
Security/Cybersecurity Frameworks & Publications
NIST Cyber Security Framework
• FFIEC Cybersecurity Assessment tool (Map to NIST)• Information Security Forum (Map to NIST)• CSA ‐ Cloud Security Alliance CCM (Map to NIST)• HITRUST CSF (Map to NIST)• AICPA TS (Anticipate a mapping to NIST)• ALTA (References FFIEC Cybersecurity Assessment tool)
NIST 800‐53, 800‐171 Security & Privacy Controls for Federal and Non Federal Information Systems & Organizations
NIST Special Publications
CERT
52
Security/Cybersecurity Frameworks & Publications
Regulatory Resources:
• FFIEC, HIPAA, FedRAMP, FISMA
AICPA Trust Services (SOC 2,3)
AICPA Cybersecurity Resource Center
ISO 27000
PCI
SEC ‐ OCIE Office of Compliance Inspections and Examinations
•Risk Alert Volume IV, Issue 8 9/15/15
•2015 Cybersecurity Examination Initiative
53
Security/Cybersecurity Frameworks & Publications
DHS ‐ FISMA – FY15 CIO Metrics, Guidance for CEO’s
OWASP (Mobile and Web Applications)
COSO, CoBIT
Center for Internet Security (Critical Security Controls & Configurations)
California Attorney General Releases Data Breach ReportRecommendations for Organizations
And More….
54
Strategy (objectives, resources, business strategy)
Governance
Critical Data and Asset Identification
Risk Management
Vulnerability Management
Third Party Risk Management
Monitoring and Reporting
Incident Response and Breach Notification
Awareness and Training
Cybersecurity Governance Checklist
What is the impact of cyber risk to the organization? What are we doing to address these risks and do we
have the appropriate resources? Are these risk being considered at the entity level in
addition to each specific business unit? How are we informing executive management and
leadership about these risks and the overall impact? What industry standards or best practices does the
cybersecurity program follow and how often is it updated, tested and reviewed?
How many cyber incidents are occurring weekly/monthly and what thresholds are met for the incident to be escalated to executive management?
What questions should we be asking?
56
How mature and complete is the incident response plan, do we have the resources to meet the reporting expectations?
What methodology is used and how often is the incident response and business continuity program tested and evaluated?
Are we complying with the proper federal, state and regulatory breach and notification requirements?
Are we using the proper financial risk mitigation strategies ‐ cyber insurance?
What role does audit play around cybersecurity? Are we staying proactive enough for awareness
training?
What questions should we be asking? (Cont.)
57
Cyber Implications onOther Technology Trends
Internetworking of embedded and electronic devices for information use and exchange
Smart devices and technology
Functionality driven
Data collection points
Consumer and commercial use
Risk Considerations
Low level of security maturity
Privacy and confidentiality implications
Another technology asset that needs to fall under governance
Internet of Things (IOT)
59
Big Data & Data Analytics
Significant amounts of data
Proper analytics can be used for decision making, prediction of trends and
much more
Analysis of patterns of behavior and IOCs
(indicators of compromise)
Big Data: Collection of large data sets from a variety of sources (GPS, social media, behavioral history, etc.), normalized and used for analytics.
60
Big Data & Data Analytics
Data management and governance
Security Privacy Confidentiality
Integrity (bad data = bad analytics = unfavorable decisions)
Risk Considerations
61
Artificial Intelligence (AI) & Automation
(AI) Intelligence
•Demonstrated by machines where actions are taken based on behavior.
Machine problem solving
•Based on the use of complex algorithms, current and historical data sets and advanced logic.
Example use cases
•Cybersecurity (threat intelligence and threat hunting)
•Accounting (accounts payable, travel, etc.)
• Fraud detection (illicit transaction and money laundering)
•Manufacturing (throughput, expense, fulfilment, supply chain)
62
Blockchain
Open decentralized database for transactions of value
Transaction authenticity and integrity verified by a community
Based on technology, mathematics and cryptography
Distributed immutable ledger
Public or private blockchain implementations
Eliminate the need for an intermediary
Digital currency (bitcoin), ethereum (ether), smart contracts, storage of private data, triple entry accounting, trading transactions, direct sales, voting, digital identities and authentication, etc.
Systems vulnerabilities and flaws around design and implementation will not be eliminated by the use of block chain
63
64
Key Takeaways
Cyber Crimes are consistently occurring and the related costs are increasing.
Social engineering / spear phishing attacks are on the rise. Question the request. When in doubt contact a manager or IT
representative to verify the request. Use search engines to navigate to web sites rather then clicking links
within emails. Incident Response Procedures should be reviewed with all
employees. Call for verification based on authoritative publications. Follow your instincts…………
65
Key Takeaways (Continued)
It’s a Business Problem
Stop focusing on “if” we get breached and focus on “when”
Understand the significance of Executive, Board Level and Audit Committee involvement for Information Security Governance
Insist on a reasonable level of transparency to the organizations security governance program including risk management and incident response activities
66
Key Takeaways (Continued)
Stay involved and include information security / privacy governance high level strategic initiatives and performance metrics as regularly reviewed artifacts
Leverage and benchmark against frameworks Don’t get lost in the technology
Use appropriate communication sources
Govern as you would other business issues Ask the question
Don’t be intimidated by technology terms
Steven J. Ursillo, Jr.
Partner, Risk Assurance & Advisory ServicesNational Leader, Information Assurance & Cybersecurity
[email protected]@StevenUrsilloJr
What Questions Do You Have?
Major Concerns to Today’s Audit Committees of Public Companies
Cary McMillan, CEOTrue Partners Consulting
My Background
Role of the Audit Committee
Audit Committees Boards and Tax
Today’s Topics
©2017 True Partners Consulting LLC. All rights reserved. 2
Managing Partner – Arthur Andersen Chicago Office until November 1999
Audit Partner and CPA
My Background
©2017 True Partners Consulting LLC. All rights reserved. 3
Executive Vice President and Board Member –Sara Lee Corporation, 1999‐2004
CFO, 1999‐2001
CEO, Sara Lee Branded Apparel
–2001‐2004
–$7 billion division with 75,000 employees
My Background
©2017 True Partners Consulting LLC. All rights reserved. 4
NYSE Board of Directors–American Eagle Outfitters (2007 ‐ Present)
–Sara Lee Corporation (1999 ‐ 2004)
–McDonald’s Corporation (2003 – 2015)
–Hewitt Associates (2002 – 2010)
–Hyatt Hotels (2013 – Present)
My Background
©2017 True Partners Consulting LLC. All rights reserved. 5
CEO & Board Member, True Partners Consulting–Nationwide Tax Advisors
• Atlanta, Boston, Chicago, Dallas, Long Island, Los Angeles, New York, San Francisco, San Jose, Tampa
My Background
©2017 True Partners Consulting LLC. All rights reserved. 6
Financial ReportingInternal Control Assessment
Hiring and Firing of External Auditor
Managing Internal Audit
Finance Function Assessment
Traditional Role of Audit Committee
©2017 True Partners Consulting LLC. All rights reserved. 7
Cyber RiskData AnalysisPrivacyAnd for Many, Risk Assessment and Management
New Roles of Audit Committees
©2017 True Partners Consulting LLC. All rights reserved. 8
By Far Our Biggest Change!Governments – USA and International
Financial
Cyber Risk
©2017 True Partners Consulting LLC. All rights reserved. 9
Used to be Back in ITNow in Front Row!
How Data is Obtained
AccuracyInternal
Data Analytics
©2017 True Partners Consulting LLC. All rights reserved. 10
Europeans Leading the Way
USA Will Need to Catch Up
Privacy
©2017 True Partners Consulting LLC. All rights reserved. 11
1
The M&A Process: It’s not a Straight Path
PRESENTED BY
Brooke Evans & Kurt Blass
2
1. The Big View ‐ What’s Happening in the Economy2. M&A Transaction Activity3. M&A Deal Path – Navigating the curves and avoiding pitfalls4. Advice for Sellers on the Journey5. Accounting for Business Combinations ‐ Navigating the Guidance
1. Business Combination vs. Asset Purchase2. Taking Control ‐ Defining the Acquisition Date3. Transaction Costs & Consideration4. Purchase Price Allocation & Valuation Process
6. Panel Discussion ‐ The M&A Process
Please text CFOA to 22333 now to join our polling session
What we’ll cover today:
3
The Big ViewWhat’s Happening in the Economy
4
U.S. Tax Reform
Before Tax Reform
After Tax Reform
5
U.S. Federal Funds Rate
6
Business Outlook for the Middle Market
ExpandingOutlook
7
Q1 Corporate Earnings Snapshot
ExpandingOutlook
April 30 (Reuters) - U.S. stock index futures rose on Monday as strong earnings and a string of mergers lifted spirits, kicking off a busy week for inflation watchers.
8
Industry Valuation Multiples (DEC 2016 ‐ MAR 2018)
9
M&A DealsA Quick Look at Market Activity
10
U.S. M&A Activity vs. S&P 500
Where are the Deals?
Avg. D
eal V
ol. $(b)
S&P 500 In
dex
M&A deal volume vs. S&P500
11
2018 U.S. M&A Activity
0
500
1,000
1,500
2,000
2,500
3,000
3,500
$0
$100
$200
$300
$400
$500
$600
1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
Deal Value ($B) Deal Count
2,874 1Q17
2,160 1Q18
2,453 4Q17
12
1Q18 M&A Activity (Completed Transactions)
Region # Deals % Cg Deal $ Value % Cg 1Q18 # of Deals 1Q18 $(b) Value 1Q17 # of Deals 1Q17 $(b) Value
N. America + Europe ‐18.4% ‐25.4% 4,867 $ 616.7 5,961 $ 826.1
United States ‐24.8% ‐35.9% 2,160 $ 300.3 2,874 $ 468.9
Florida ‐25.5% ‐32.6% 307 $ 10.9 412 $ 16.2
Tampa Bay ‐24.1% ‐12.9% 63 $ 2.2 83 $ 2.6
13
Florida M&A Activity
14
M&A Deal PathNavigating the curves and avoiding pitfalls
15
A Deal Path can Zig‐Zag due to Many Variables:
Deal Structure
Seller Motives
Buyer Type
Market Conditions
Capital Source
Trans. Type
Regulatory Environment
StakeholdersGeography
16
“Typical” Steps in a Deal:
1) Getting Ready for a Transaction
2) Finding a Partner
3) Negotiating the Transaction
4) Due Diligence (Evaluation)
5) Closing
6) Integration
17
Advice for Sellers on the
Journey
18
#1: Preparing for a Transaction
Ready. Aim. Fire. (In That Order)1. Have a Well thought out Exit Strategy
• Strive for Buyer Confidence 2. Know your Story
• Understand “normalized” EBITDA• Value drivers and detractors• Have coherent financials• Know your risks and be prepared to disclose them at the right time and in the right
way3. Timing is More than Half the Battle4. Build a Transaction Team
• All hands on deck• No such thing as “Too much help” • Investment in the process may yield millions in return
5. Have a Plan for Your Future• Anticipate pivots, twists, turns in the process• Identify realistic growth opportunities• Keep investing in the business (don’t put things off until the deal is done!)
19
#2: Finding the Perfect Partner
Go Fishing….There are lot’s of Fish in the Sea1. Know What You Want
• Top $$• Culture to remain intact• Growth capital, future involvement, 2nd bite of the apple• Personal liquidity• Retirement
2. Understand Types of Buyers and Their Motivations• Start a watch list
3. Use Expert Advisors• You don’t know what you don’t know• Let them help tell your story• Reduce the effects of emotions & noise
4. It Might Take Longer Than You Think• Anticipate delays in deal timing• How will business factors affect this?
5. The World Turns on Personalities• Understand the culture of your organization• Drama does not drive deal value
2020
Types of Buyers:
Strategic Buyers Financial Buyers
Competitors, Suppliers, Customers Complementary Businesses (seeking new growth channels) Consolidators
Private Equity Sponsors Companies owned by PEGS (bolt‐in acquisitions) Family Offices
21
#3: The Art of the Negotiation
I Got This……20x EBITDA!!
22
#3: The Art of the Negotiation
Know What you Want…..But be Realistic1. Continue Using Expert Advisors
2. Defining the LOI = Time Well Spent • Exclusivity ‐ to be or not to be exclusive
3. Uncle Sam has a Seat at the Table• Understand potential outcomes before starting
4. Terms can Terminate Deals• Taxes
• Noncompetes & Key Employee Retention
• Working capital
5. The Increasing Importance of Reps & Warranties Insurance
6. The Dreaded Re‐Trade
7. Tap into What Buyer Wants Most
23
#4: Due Diligence
What you Don’t Know Will Cost You1. Have your Ducks in a Row
• Be prepared, allocate proper resources
• Buyers are always from Missouri
• Design a diligence process flow• Version control (file1_new_v.#$%#!)
2. Have a Communication Plan• Who will be “under the tent”
3. Honesty is the Best Policy• Positioning the elephants
4. Make it Happen ‐ Time Kills Deals
24
Closing & IntegrationFinal Chapter and Second Journey
25
Closing
Be Ready to Cross the Finish Line1. Push & Shove
• Getting a deal to the finish line
2. Full Disclosure• Who will get that fun job?
3. Upping the Intensity Factor
4. Day 1 Details• A bit like a shuttle launch
5. Catch Your Breath … • NOW the hard work starts!
26
Integration
The Second Leg of the Journey …. Are We There Yet?1. Eat the Frog
• Cultural issues• Compensation & benefit issues• Reporting & Metrics• Creativity and Flexibility
2. Clarity – Priority # 1• No Such Thing as Over Communication
3. People, People, People4. A Good Plan Violently Executed Now
• Is better than a perfect plan executed next week5. 45‐60 Days Post Close
• Help!6. What did We Miss?
• Probably something!7. Delivering on the Plan
• Decisions from Data• Measure early, measure often
27
Accounting for Business Combinations: Navigating the Guidance
28
The winding path of accounting for business combinations is primarily covered in ASC 805 and ASU 2017‐01. Knowing the right questions to ask is a good way to avoid common implementation detours:
1. What are we buying?
2. When did we take control?
3. How much did we pay?
4. What are our transaction costs?
5. How do we find everything we bought?
6. How do we value all this stuff?
7. What if my estimates are wrong?
Staying on the Path
29
What are we Buying?Business Combination vs. Asset Purchase
30
• A business combination occurs when the buyer obtains control of a business via a transaction or other event. If the acquired entity does not meet the definition of a business, it is treated as an asset purchase.
What are we Buying?
General Indicators of Business Combination
• Purchase of substantially all assets and some liabilities
• Purchase price includes fair value of intangible assets
• Activities and assets are sufficient to provide an output or return to investors
• Revenues are generated before and after transaction
General Indicators of an Asset Purchase
• Purchase of a group of assets for use in its own operations
• Assets (inputs & processes), on their own, are not sufficient to provide an output
31
Definition of a business, per ASC 805
• A business is an integrated “set” of activities and assets that is capable of being conducted and managed for the purpose of providing a return in the form of dividends, lower costs, or other economic benefits directly to investors or other owners, members, or participants.
• The integrated “set” of activities must include at least one input and one substantive process; together, both must significantly contribute to the ability to create outputs.
• Although businesses usually have outputs, outputs are not required for an “integrated set” to qualify as a business.
What are we Buying?
Additional Guidance, per ASU 2017‐01
• If substantially all the fair value of the gross assets acquired is concentrated in a single identifiable asset or group of similar identifiable assets, the “set” does not qualify as a business.
• If the fair value of the acquired set is not “concentrated” then an evaluation of its workforce, processes and outputs (revenue , goods or services) must be performed.
32
What are we Buying?Is Target Producing Outputs Now?
(Revenue before and after Transaction)
No
• Organized workforce with ability to perform an acquired process which is critical to converting acquired inputs into outputs.
• An input that the organized workforce can convert into output.
Yes
• Organized workforce with ability to perform an acquired process which is critical to converting acquired inputs into outputs.
• An acquired contract that provides access to the organized workforce
• The acquired process significantly contributes to the ability to produce outputs, and the process cannot be replaced without significant cost, effort or delay.
• The acquired process significantly contributes to the ability to produce outputs, and the process is considered unique or scarce.
Target is a Business
Yes
Not a Business
Not a Business
No NoYes
33
Defining the Buyer & the Acquisition Date
Taking Control
34
Obtaining control: To evaluate if control has been obtained, the buyer must determine if the business is a VIE:
If the business is a VIE:• The buyer must apply the guidance in ASC 810‐10 to determine if it has a controlling financial interest in the VIE
• If a controlling financial interest is obtained, the transaction or event that gave rise to the interest should be accounted for as a business combination
If the business is not a VIE: • The buyer must determine if control has been obtained using the same definition of control that is used to determine if a voting interest entity should be consolidated
• Under this definition, control could be obtained in multiple ways including acquisition of a majority ownership interest or minority rights lapsing
When did we Take Control?
35
Determining the buyer and acquisition date• The “buyer”
• The buyer is typically the party transferring cash, incurring liabilities and/or issuing equity interests
• In a transaction involving a VIE, the buyer is always the Primary Beneficiary (PB).
• Acquisition date is typically the closing date except where the written agreement specifies another control transfer date
• Identifying the acquisition date impacts many areas including:1. Effective date for fair value measurements by the buyer2. For WIP and inventory cutoff3. The buyer begins consolidating the target for accounting purposes4. The clock starts for the “measurement period”5. May necessitate mid‐month close for opening balance sheet presentation
When did we take Control?
36
Transaction Costs & Consideration
How Much did We Pay?
37
Identification and Treatment of Transaction Costs• Acquisition costs are expensed in the transaction period and not part of the consideration transferred in a business combination
• The exception to this is that costs to issue debt or equity securities shall be recognized in accordance with other applicable guidance
• Buyer’s acquisition costs should be recognized by the buyer even if the are paid by the target, seller, or other related party
• Transaction costs such as legal or due diligence expenses or liabilities paid by the buyer for the benefit of the seller, are not expensed, they are deemed to be part of the purchase price consideration
What are our Transaction Costs?
38
Identifying all Transaction Consideration• Consideration is the fair value of all assets transferred plus liabilities incurred to the seller and equity interest issued by the acquirer.
• Items which should be included:• Transaction costs incurred for the benefit of the seller
• Installment payments
• Value of stock and stock options in NEWCO
• Contingent future payments (earnouts)• Treatment as consideration varies if conditional or unconditional
• Fair value includes consideration of probability of payment, and time value of money
• Subsequent period accounting varies depending on whether asset/liability or equity
How much did we Pay?
39
Identifying Costs Outside the Transaction Purchase Price• Items that settle previous relationships or payments for the benefit of the purchaser should not be included in total consideration.
• Items which should be excluded:• Settlement of existing balances with seller
• Transactions that, compensate employees or former owners for future service
• Transactions that, reimburse the seller for paying the purchaser’s acquisition related costs
• Payments to seller for restructuring costs incurred at request of buyer
• Payment to target employees that would be forfeited upon termination of their employment
How much did we Pay?
40
Finding & Valuing What you Bought
Purchase PriceAllocation
41
Identification of Acquired Assets and Assumed Liabilities• ASC 805 requires that all identifiable assets acquired in a business, be assigned a portion of the purchase
price based on their fair values. This includes current assets, fixed & other tangible assets, goodwill, and identifiable intangible assets,
• Current assets are often recorded at book value unless it varies significantly from fair value
• Material fixed assets, real estate and personal property, are typically appraised to determine recording value
• Intangible assets are to be separately recognized apart from goodwill if they are separable or arise from contractual or legal rights
• Many complex items arise from this process, including the following:• Marketing‐related
• Customer relationships and lists
• Internally developed intangibles & technology based intangibles
• Contingent liabilities, including contingent purchase price liabilities
• Non‐compete agreements
• Favorable and unfavorable contract assets and liabilities
• In process research and development (IPR&P)
• ASU 2014‐02 & 2014‐18 provides private company simplification for goodwill and intangibles
How do we Find Everything we Bought?
42
Valuation Methods• Income Approach ‐ estimates fair value by estimating the present value of net future economic benefits. Generally used to value the primary asset acquired in a business combination.
• Cost Approach ‐ measures fair value based on the amount necessary to construct or acquire an asset of equal utility after consideration of deterioration, or obsolescence. Generally used to value secondary assets in a business combination.
• Market Approach ‐ determines value through the analysis of the market price of comparable assets or business interest that have been traded in arms‐length transactions.
How do we Value all this Stuff?
43
Downstream Consequences to be Aware Of• Purchase accounting revenue & expense impacts
• Subsequent period amortization of “new” or revalued intangibles
• COGS impacts from write up or write down of WIP and inventory
• GAAP adjustments for sellers previously on other basis of accounting• Goodwill impairment or amortization
• Deferred revenue and “disappearing revenue”
• Subsequent accounting adjustments for “special” business combination assets and liabilities• Contingent consideration
• Indemnification assets
• Reacquired rights
• Revenue and expense changes can impact contractual agreements• Debt covenant compliance
• Compensation arrangements• Earn out calculations
How do we Value all this Stuff?
44
Measurement Period Adjustments• If accounting for a business combination is not complete in the reporting period the combination took place, the acquirer has a period of time to finalize its accounting.
• The buyer must disclose this identify all amounts included in the financials that are estimates• New information is obtained about facts and circumstances existing at the acquisition date:
• The new information is related to “known incomplete items” AND • The new information would have affected the recognition or measurement of some
element of the accounting (asset or liability) at the acquisition date• The amount of time since the acquisition was effective has not exceeded 1 year
• If these criteria are met, the corresponding entry to the measurement period adjustment is to goodwill
• If these criteria are not met, treat the adjustment as a change in estimate due to an error, with the corresponding entry to the statement of operations
What happens if my Estimates are Wrong?
45
Thank you!
Brooke Evans: [email protected] Blass: [email protected]
46
The M&A Process: Panel Discussion
Nicole Jackson ‐ Refresco Ken Bowles – Wilson HCG
Derivatives and Risk Management
Peter Klipa
Risk Mitigation
• Types of Risk– Interest Rate
– Foreign Currency Exchange Rate
– Equity Index
– Credit
• Risk Maintenance– Increase Predictability
– Decrease Volatility
– Contain Exposure
What is a Derivative
• Derivatives are financial instruments that derive their value from some characteristic of another underlying instrument, such as:
– Interest Rate
– Foreign Currency Exchange Rate
– Equity Index
• Unlike other financial instruments derivatives in and of themselves have no value
Authoritative Accounting Guidance
• Generally Accepted Accounting Principles (GAAP)
– ASC 815
• Statements of Statutory Accounting Principles (STAT or SSAP)
– SSAP 86
– One example of additional guidance on derivatives
Common Types of Derivatives
• Options
• Caps
• Floors
• Collars
• Futures
• Forwards
• Swaps
• Swaptions
Common Uses for Derivatives
• Risk Mitigation
– Company invests in a EURO denominated bond to achieve higher yields – foreign currency swap exchanging EURO for USD at a fixed rate mitigates net yield degradation due to FX fluctuations
– Company with fixed interest rate obligations –interest rate swap to exchange a fixed interest rate payment for a floating market rate
• Speculation
Derivative Considerations
• Costs
– Hedging costs
– Personnel costs
– Regulatory costs
• Alternatives
– Offsetting asset / liability pairing
– Other risk mitigation strategies
Accounting for Derivatives U.S. GAAP
• Balance Sheet – ALL derivatives must ALWAYS be recognized as assets or liabilities at fair value on the balance sheet
– Derivative assets and liabilities cannot be netted
• Income Statement– Changes in derivative fair values are sometimes immediately reflected in earnings, but are sometimes deferred and/or netted against gains and losses of hedged items
Accounting for Derivatives
• Although the asset and liability classification and valuation of derivatives is always consistent; the timing and net impact to the P&L is determined based on multiple factors and various special accounting rules (hedge accounting status vs. non‐qualifying status)
Accounting Classifications under ASC 815
• Hedge Accounting (special accounting rules)– Fair Value
– Cash Flow
– Net Investment in Foreign Operations
• Non‐qualifying– ALL changes in derivative fair values are ALWAYS immediately recognized in earnings
– All derivative related earnings must go to the same financial statement line
Hedge Accounting vs. Non‐qualifying Treatment
• The use of hedge accounting is optional
• If hedge accounting is chosen:– The hedging strategy must be documented and a determination of the type of hedge must be assessed at inception
– The hedging relationship must be expected to be highly effective
• If hedge accounting is achieved:– Special accounting rules, benefitting the entity, are permitted
Required Documentation for Hedge Accounting
• Primary Requirements under GAAP
– The risk management objective and strategy for achieving that objective
– The nature of the risk being hedged
– The hedging instrument used
– The hedged item
– The method to assess hedge effectiveness
– The method to measure hedge ineffectiveness
Hedge Accounting SummaryHedge Status Recognition of Gain or
LossComments
Fair Value Hedge – hedge of asset or liability
In net income, offsets loss or gain on hedged item
Hedged item gets special accounting
Cash Flow Hedge – hedge of variable cash flows or a forecasted transaction
Outside of earnings until the forecastedtransaction affects earnings
Derivative gets special accounting
NIFO Hedge ‐ hedge of foreign currency exposure of a net investment in foreign operations
Outside of earnings as part of cumulative translation adjustment in OCI until foreign operation is substantially liquidated
Derivative gets special accounting
Non‐qualifying derivative In earnings No special accounting permitted
Fair Value Specifics
• Accounting Specifics– Derivative is carried on the balance sheet at FV– Hedged item (examples are bonds, mortgage loans, debt) is carried at FV on the balance sheet with changes in FV recorded directly to earnings (special accounting)
– Changes in the FV of the derivative are recorded to earnings
– Changes in the FV of the hedged item are recorded to the same earnings location as the derivative (special accounting)
– Difference between the change in FV of the derivative vs. the hedged item is measured ineffectiveness which nets in earnings (special result of treatment)
Cash Flow Specifics
• Accounting Specifics– Derivative is carried on the balance sheet at FV
– Hedged item (examples are bonds, mortgage loans, debt) is accounted for using its normal convention
– Changes in the FV of the derivative are recorded in other comprehensive income (special accounting)
– Changes in the FV of the hedged item are recorded to their traditional location (typically in OCI or carried at cost)
– Through this treatment, FV changes do not impact earnings. Derivative earnings are typically reclassified out of OCI only when the hedged item’s normal accounting impacts earnings (special accounting)
Embedded Derivatives
• Simple Definition – A derivative within another contract that is not a derivative– A call option feature on a bond issuance – call option is a derivative, but a bond is classified as an invested asset not a derivative
• In some cases GAAP requires that embedded derivatives be bifurcated from the host contract and accounted for separately
Bifurcation is Required when…
• The embedded feature meets the definition of a derivative
• The entire instrument is not already carried at FV with changes in value included in earnings
• The features in the contract are not clearly and closely related– Example – debt instruments with interest payments tied to credit score (own credit clearly and closely related to debt) vs. changes in the S&P 500 (equity index not clearly and closely related to debt)
Wrap Up
© 2018 Crowe Horwath LLP
Healthcare Provider Risks and TrendsMay 18, 2018 – USF CPE Day, Tampa, FL
© 2018 Crowe Horwath LLP 2Audit | Tax | Advisory | Risk | Performance
Objectives
Session is designed to discuss recent and relevant healthcare provider risks and trends for CPE A&A credit.
Cybersecurity
Volume to Value and the Affordable Care Act
Pharmacy: Controlled Substances & 340B
Healthcare Transformation
Takeaways
Understand some key risks associated with today’s healthcare provider environment
Explain how healthcare systems are responding to these risks
© 2018 Crowe Horwath LLP 3Audit | Tax | Advisory | Risk | Performance
Cybersecurity
© 2018 Crowe Horwath LLP 4Audit | Tax | Advisory | Risk | Performance
Healthcare Data Breaches Reported to Office of Civil Rights
© 2018 Crowe Horwath LLP 5Audit | Tax | Advisory | Risk | Performance
Cybersecurity
“Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.”
Objectives of Security continue to be: The Triad of Security – CIA of “CRITICAL DATA” Confidentiality Integrity Availability
Who does it impact? Anyone or Anything, connected to the internet
© 2018 Crowe Horwath LLP 6Audit | Tax | Advisory | Risk | Performance
Trends in Cybersecurity
Expect Cyber attacks More frequent, varied and mobile Center stage and becoming more public More corporate accountability and resulting litigation More regulatory pressure
As a result of the above four trends, other sub-trends are: Standard frameworks Growing workforce Expanded research Mobile coverage
© 2018 Crowe Horwath LLP 7Audit | Tax | Advisory | Risk | Performance
Industry Impacts
Over 90% of healthcare organizations had a data breach in the past two years Approximately 45% of healthcare organizations had 5 or more incidents Average cost of a medical record data breach to an organization was over
$200 per record Average cost of a medical record on the black market is $10 or more. Cost of an
individual’s credit card record is going for less than $0.50 Causes of healthcare data breaches:
Lost or stolen devices Employee actions (other than losing devices) Third parties Hacking (or similar) attempts
Average cost to victims is over $13,000 Breaches cost the healthcare industry approximately $5.6 billion per year
© 2018 Crowe Horwath LLP 8Audit | Tax | Advisory | Risk | Performance
Some publicized 2017 Healthcare breaches
© 2018 Crowe Horwath LLP 9Audit | Tax | Advisory | Risk | Performance
How are Healthcare Systems responding
Guidance for Healthcare OCR; National Institute of Standards and Technology (NIST;) Health Insurance
Portability and Accountability Act (HIPAA) Timely risk assessment, as required under the HIPAA Security Rule, to pave
the way for mitigating risks and avoiding breaches. Boost information security programs beyond the requirements of HIPAA, NIST
Cybersecurity Framework provides healthcare organizations with a roadmap for "looking where you are now, and where you want to be.“
Health Information Trust Alliance (HITRUST) – Popular security interoperability controls framework, provide support for the NIST Framework
Security Assessments, incident planning responses, and penetration testing
© 2018 Crowe Horwath LLP 10Audit | Tax | Advisory | Risk | Performance
Ongoing Cybersecurity Protection
© 2018 Crowe Horwath LLP 11Audit | Tax | Advisory | Risk | Performance
Volume to Value and the Affordable Care Act
© 2018 Crowe Horwath LLP 12Audit | Tax | Advisory | Risk | Performance
Health Care Reform is a transformative event - it is fundamentally changing the way health care is paid for, delivered and consumed in the U.S. over the next 20 to 30 years, and it will affect:
Every employer
Every person residing in
the U.S.
Everyhealth care
provider
Every pharmacy benefits
management provider and every
pharmaceutical company
Every medical device
manufacturer
© 2018 Crowe Horwath LLP 13Audit | Tax | Advisory | Risk | Performance
Volume to ValueVolume to Value
Fee for Service –No Link to QualityFee for Service –No Link to Quality
Payments are based on volumes of services and not linked to quality or efficiency.
Payments are based on volumes of services and not linked to quality or efficiency.
-Limited in Medicare fee for service
-Majority of Medicare payments are not linked to quality
-Limited in Medicare fee for service
-Majority of Medicare payments are not linked to quality
Fee for Service –Link to Quality
Fee for Service –Link to Quality
At least a portion of payments vary based on the quality or efficiency of healthcare delivery.
At least a portion of payments vary based on the quality or efficiency of healthcare delivery.
-Hospital value based purchasing
-Physician value-based modifier
-Readmission/ hospital acquired condition reduction program
-Hospital value based purchasing
-Physician value-based modifier
-Readmission/ hospital acquired condition reduction program
Alternative Payment Models
Built on Fee for Service Architecture
Alternative Payment Models
Built on Fee for Service Architecture
Some payment is linked to the effective management of a population or an episode of care. Payments on delivery of services, but opportunities for shared savings or two-sided risk.
Some payment is linked to the effective management of a population or an episode of care. Payments on delivery of services, but opportunities for shared savings or two-sided risk.
-Accountable Care Organizations (ACOs)
-Bundled Payments
-Comprehensive primary care initiative
-Medicare – Medicaid financial alignment initiative fee-for service model
-Accountable Care Organizations (ACOs)
-Bundled Payments
-Comprehensive primary care initiative
-Medicare – Medicaid financial alignment initiative fee-for service model
Population-Based Payment
Population-Based Payment
Payment is not directly triggered by service delivery and volume is not linked to payment. Clinicians and organizations are paid and responsible for the care of a beneficiary for a long period.
Payment is not directly triggered by service delivery and volume is not linked to payment. Clinicians and organizations are paid and responsible for the care of a beneficiary for a long period.
-Eligible Pioneer ACOs
-Advanced Payment ACOs
-Eligible Pioneer ACOs
-Advanced Payment ACOs
© 2018 Crowe Horwath LLP 14Audit | Tax | Advisory | Risk | Performance
Major Legislation driving Volume to Value
February 2009 – American Reinvestment & Recovery Act (ARRA) establishing Health Information Technology for Economic and Clinical Health (HITECH) Establishes a system of bonuses and penalties to encourage providers to adopt
electronic record systems that are demonstrated as meaningful (Meaningful Use)
Systems form basis of quality reporting
March 2010 – Patient Protection and Affordable Care Act (ACA) Make Healthcare more affordable
Expand Medicaid coverage for opted in States to 138% of poverty
Support care delivery models to improve quality and lower cost
ACA provides a platform and commitment to testing new approaches to how healthcare is delivered and paid for while recognizing there is no single solution Center for Medicare and Medicaid Innovation
Patient-Centered Outcomes Research Institute
Medicare-Medicaid Coordination Office
National Strategy for Quality Improvement in Health Care
Prevention and Public Health Fund
© 2018 Crowe Horwath LLP 15Audit | Tax | Advisory | Risk | Performance
Trump Administration Response In First Year No change to Obama Administration value-based goals 30% of Medicare payments to hospitals and physicians through alternative payment
models by end of 2016 (Achieved)
50% of Medicare payments through alternative payment models by end of 2018
No significant changes thus far to the Medicare ACO program
Elimination of proposed mandatory bundled payment programs
First introduction of a new voluntary bundled payment program in January 2018 – BPCI Advanced
Further exemptions granted from MACRA participation
Repeal of Health Insurance Mandate
© 2018 Crowe Horwath LLP 16Audit | Tax | Advisory | Risk | Performance
Care Delivery Change Requirements
• Reduce Waste and Redundancy
• Slow Historical Growth Rate in Healthcare Costs
• Implement Efficient and Effective Clinical Processes
• Increase Care Coordination
• Strengthen Transparent Exchange of Healthcare Information
• Improve Professional Credibility & Market Perception
• Compete for Populations Served
• Improve Patient Outcomes
• Adhere to Evidence Based Standards
• Foster Cultural Change: Safety and Reliability
© 2018 Crowe Horwath LLP 17Audit | Tax | Advisory | Risk | Performance
Affordable Care Act (ACA) Initiatives Designed to Measure and Compensate Hospitals for Performance
Payment Models
Medicare Shared Savings Programs and creation of Accountable Care Organizations
Value Based Purchasing
Hospital Acquired Conditions and Readmissions Program
Bundled Payments & BPCI Advanced program
MACRA – MIPS & Alternative Payment Models
Direct Provider Contracting (CMS 2018 idea)
Quality of Care
31 measures covering: Patient/Caregiver Experience, Care Coordination/Patient Safety, Preventative Health, At-Risk Population
© 2018 Crowe Horwath LLP 18Audit | Tax | Advisory | Risk | Performance
Risks
Technology
Culture Shifts
Complex quality reporting
Complex rules behind payment models
Impacts
Patient Quality
Reduced reimbursement and/or penalties
Long term growth/ sustainability of the provider entity
Shifts in operational models
© 2018 Crowe Horwath LLP 19Audit | Tax | Advisory | Risk | Performance
How are hospitals reacting?
Reimbursement Impacts
Quality of Care
Improvements
Cost Reduction
© 2018 Crowe Horwath LLP 20Audit | Tax | Advisory | Risk | Performance
Pharmacy: Controlled Substances & 340B
© 2018 Crowe Horwath LLP 21Audit | Tax | Advisory | Risk | Performance
The Opioid Epidemic - Facts
What are the facts (according to the Centers for Disease Control): On average, 115 Americans die every day from an opioid overdose
Nearly two million Americans either abused or were dependent on prescription opioid pain relievers
Overdoses from prescription opioids are a driving factor in the 16-year increase in opioid overdose deaths
The majority of drug overdose deaths (66%) involve an opioid
© 2018 Crowe Horwath LLP 22Audit | Tax | Advisory | Risk | Performance
Controlled Substance Thefts (Employee Pilferages = 41%)
© 2018 Crowe Horwath LLP 23Audit | Tax | Advisory | Risk | Performance
Controlled Substances
Risks
© 2018 Crowe Horwath LLP 24Audit | Tax | Advisory | Risk | Performance
Actions Control Design Audit: From Order to Dispense / Waste / Reverse Distributor
Accountability Audit
Diversion Investigations
Assistance with potential BOP and/or DEA investigations or Settlement Agreements
© 2018 Crowe Horwath LLP 25Audit | Tax | Advisory | Risk | Performance
340B – What is it?
Established by Congress in 1992
Administered by Health Resources and Services Administration/Office of Pharmacy Affairs (HRSA/OPA)
Improve prescription drug access to uninsured patients
Drug manufacturers agree to provide discounted prices to “covered entities” for covered outpatient drugs
Eligible Patients:
Patients must receive outpatient healthcare services other than drugs from the 340B covered entity; and the services were provided by a healthcare professional who is either employed by the covered entity or provides healthcare under a contractual arrangement.
© 2018 Crowe Horwath LLP 26Audit | Tax | Advisory | Risk | Performance
EligibilityEligible Organizations:
Nonprofit healthcare organizations that have certain Federal designations or receive funding from specific Federal Programs can become eligible organizations (covered entities)
Examples include:
Federally Qualified Health Centers
Disproportionate Share Hospitals
Critical Access Hospitals
Sole Community Hospitals
Ryan White HIV/AIDS Programs
Tuberculosis Clinics
Eligible Drugs:
FDA-approved prescription drugs
Over the counter drugs via prescription
FDA-approved insulin
Biological products that can be dispensed only by prescription
© 2018 Crowe Horwath LLP 27Audit | Tax | Advisory | Risk | Performance
During the enrollment process a covered entity will elect how they will implement their program as follows: In-House Pharmacy, in which the covered entity owns drugs, pharmacy and
license; purchases drugs; is fiscally responsible for the pharmacy; and pays pharmacy staff.
Contract Pharmacy Arrangements, in which the covered entity owns drugs; purchases drugs; pays (or arranges for patients to pay) dispensing fees to one or more contract pharmacies; and contracts with pharmacy to provide pharmacy services.
Provider/In-House Dispensing, in which the covered entity owns drugs; employs providers licensed in the state to dispense; holds a license for dispensing for the participating providers; and is fiscally responsible for operating and dispensing costs.
© 2018 Crowe Horwath LLP 28Audit | Tax | Advisory | Risk | Performance
Risks
Heavily regulated –
Exposed to HRSA audits
Program Independent audit requirements
Complex contractual arrangements if contract pharmacy status
Information Technology Systems
Maintenance of records to filter specific scenarios (i.e. specific services for specific patients for specific drugs)
Constant regulatory Change
Financial impact of program
© 2018 Crowe Horwath LLP 29Audit | Tax | Advisory | Risk | Performance
Healthcare Transformation
© 2018 Crowe Horwath LLP 30Audit | Tax | Advisory | Risk | Performance
Healthcare Transformation
Regulation change in Volume to Value
Mergers & Acquisition Activity System Mergers Mercy Health & Bon Secours
Ascension & Presence
CHI & Dignity
Pharmacy/ Drug Mergers CVS & Aetna
Walmart (Large Pharmacy) & Humana
Non Traditional Berkshire Hathaway/ Amazon/ JP Morgan Chase??!!
UBER??!!
Technological change Telemedicine
Machine Learning
Device integration
© 2018 Crowe Horwath LLP 31Audit | Tax | Advisory | Risk | Performance
Contact
Harry Kimball, CPA
CHAN Healthcare
Direct: (904) 728-0738