How to discover fraud in the public procurement process

Read this if your facility or organization has received Provider Relief Funds.

The rules over the use of the HHS Provider Relief Funds (PRF) have been in a constant state of flux and interpretation since the funds started to show up in your bank accounts back in April. Here is a summary of where we are as of June 14, 2021 on HHS’ reporting requirements. Key highlights:

These requirements apply to:

• PRF General and Targeted Distributions
• the Skilled Nursing Facilities (SNF) and Nursing Home Infection Control Distribution
• and exclude:
  • the Rural Health Clinic COVID-19 Testing Program
  • claims reimbursements from HRSA COVID-19 Uninsured Program and the HRSA COVID-19 Coverage Assistance Fund (CAF)

This notice supersedes the January 15, 2021 reporting requirements.
Deadline for Use of Funds:

Recipients who received one or more payments exceeding $10,000 in the aggregate during each Payment Received Period above (rather than the previous $10,000 cumulative across all PRF payments) are subject to the above reporting requirements 

Responsibility for reporting:

• The Reporting Entity is the entity that registers its Tax Identification Number (TIN) and reports payments received by that TIN and its subsidiary TINs.
• For Targeted Distributions, the Reporting Entity is always the original recipient; a parent entity cannot report on the subsidiary’s behalf and regardless of transfer of payment.

Steps for reporting use of funds:

1. Interest earned on PRF payments
2. Other assistance received
3. Use of SNF and Nursing Home Control Distribution Payments if applicable (any interest earned reported here instead), with expenses by CY quarter
4. Use of General and Other Targeted Distribution Payments, with expenses by CY quarter
5. Net unreimbursed expenses attributable to Coronavirus, net after other assistance and PRF payments by quarter
6. Lost revenues reimbursement (not applicable to PRF recipients that received only SNF and Nursing Home Infection Control Distribution payments)

PORTAL WILL OPEN ON JULY 1, 2021!

Access the full update from HHS: Provider Post-Payment Notice of Reporting Requirements.

Read this is you are at a financial institution and concerned about fraud.

The numbers tell a story: Financial fraud 

Back in 2016, BerryDunn’s Todd Desjardins wrote about occupational fraud at financial institutions. This article mainly cited information from a 2016 Report to the Nations (2016 Report) published by the Association of Certified Fraud Examiners (ACFE). Fast forward to 2021, and ACFE’s 2020 Report to the Nations: Banking and Financial Services Edition (2020 Report) displays that occupational fraud continues to be a concern.

Financial institutions account for 19% of all occupational fraud worldwide, up from 16.8% in the 2016 Report. These fraud causes have a median loss of $100,000 per case—down from $192,000 per case in the 2016 Report. Cases had risen slightly from the 2016 Report to 386—up from 368 cases.

What does a fraudster look like, and how do they commit their crimes? How do you prevent fraud from happening at your organization? And, how can you strengthen an already robust anti-fraud program? These questions, raised in Todd’s 2016 article, remain relevant today. 

A profile in fraud: Who can it be? 

One of the most difficult tasks any organization faces is identifying and preventing potential cases of fraud. This is especially challenging because the majority of employees who commit fraud are first-time offenders with no record of criminal activity, or even termination at a previous employer.

The 2020 Report reveals a few commonalities between fraudsters. The amounts from the 2016 Report are shown in parentheses for comparison purposes:

• 3% of fraudsters had no criminal background (3%)
• Men committed 71% of frauds and women committed 29% (69%, 31%)
• 56% of fraudsters were an employee, 27% worked as a manager, and 14% operated at the executive/owner level (3%, 31%, 20%)
• The median loss for fraudsters who had been with their organizations for more than five years was $150,000 compared to $86,000 for fraudsters who had been with their organizations for five years or less ($230,000, $74,500)

Employees who committed fraud displayed certain behaviors during their schemes. The ACFE reported these top red flags in its 2020 Report:

• Living beyond means: 42% (45.8%)
• Financial difficulties: 33% (30%)
• Unusually close association with vendor/customer: 15% (20.1%)
• Divorce/family problems: 14% (13.4%)

These figures give us a general sense of who commits fraud and why. But in all cases, the most pressing question remains: how do you prevent the fraud from happening?

Preventing fraud: A commonsense approach that works

As a proactive plan for preventing fraud, we recommend focusing time and energy on two distinct facets of your operations: leadership tone and internal controls.

It all starts at the top: Leadership

The Board of Directors and senior management are in a powerful position to prevent fraud. By fostering a top-down culture of zero-tolerance for fraud, you can diminish opportunity for employees to consider, and attempt, fraud.

It is crucial to start at the top. Not only does this send a message to the rest of the company, but frauds committed at the executive level had a median loss of $1,265,000 per case, compared to a median loss of $77,000 when an employee perpetrated the fraud. This is compared to a median loss of $500,000 and $54,000 per case, respectively, in the 2016 Report.

Improving your internal control culture

Every financial institution uses internal controls in its daily operations. Override of existing internal controls, lack of internal controls, and lack of management review were all cited in the 2020 Report as the most common internal control weaknesses that contribute to occupational fraud in the banking and financial services industry.

The importance of internal controls cannot be overstated. Every organization should closely examine its internal controls and determine where they can be strengthened—even financial institutions with strong anti-fraud measures in place.

We have created a checklist of the top 10 controls for financial institutions, available in our white paper on preventing fraud. This is a list that we encourage every financial leader to read. By strengthening your foundation, your company will be in a powerful place to prevent fraud. 

Get the keys to prevent fraud—free fraud prevention white paper

Employees are your greatest strength and number one resource. Taking a proactive, positive approach to fraud prevention maintains the value employees bring to a financial institution, while focusing on realistic measures to discourage fraud.

In our white paper on preventing financial institution fraud, we take a deeper look at how to successfully implement a strong anti-fraud plan.

Commit to strengthening fraud prevention and you will instill confidence in your Board, employees, customers, and the general public. It’s a good investment for any financial institution. If you have any questions, please contact our team. We’re here to help. 
 

Read this if you work in an alcohol control capacity for state government.

The COVID-19 outbreak has changed the alcoholic beverage industry significantly over the last 14 months. Restrictions forced people to stay at home, limiting their travel to restaurants, bars, and even some stores to purchase their favorite spirits. In at least 32 states, new legislation allowed consumers the option to buy to-go cocktails as a way to help these establishments stay in business. As a result, consumers took advantage of alcohol delivery services. 

There were two large shifts in consumer purchasing for the alcoholic beverage industry in 2020. The first was a shift from on-premise to off-premise purchasing (for example, more takeaway beverages from bars, breweries, and other establishments). The second was the explosion of e-commerce sales for curbside pickup and home delivery. A study by IWSR, an alcoholic beverage market research firm, stated that alcohol e-commerce sales grew 42% in 2020. The head of consumer insights for the online alcoholic beverage delivery service, Drizly, attributes this growth to the “increased consumer awareness of alcohol delivery as a legal option, as well as an overall shift in consumer purchasing behavior toward online ordering and delivery”. 

How state agencies responded

The move to an e-commerce model has impacted state agencies who regulate the distribution and/or sale of alcohol. States such as Oklahoma, Alabama, and Georgia recently passed legislation allowing alcohol delivery to consumers’ homes. In alcoholic beverage control states, where the state controls the sale of alcohol at the wholesale level, curbside pickup programs (New Hampshire) were implemented, while others started online home delivery services (Pennsylvania). 

In a fluid legislative environment, states agencies are working to meet consumer needs in a very competitive marketplace, while fulfilling their regulatory obligation to the health and safety of their constituents.

How alcoholic beverage control states can adapt

Now is an opportune time for control state agencies to keep pace with consumer demand for more flexible purchasing options, such as buying online with home delivery, or some form of curbside and/or in-store pickup programs. Every one of the 17 alcoholic beverage control states has passed legislation to allow the delivery of either beer, wine, and/or distilled spirits in some form, with some limitations.

While for some the COVID-19 outbreak has necessitated these more distant shopping experiences, the option of these sales channels has brought consumers flexibility they will expect going forward. This calls for control state agencies to act on this changing consumer demand. By prioritizing investing in and taking ownership of new sales channels, such as e-commerce and curbside pickup, control state agencies’ technology and logistics teams can develop strategies and tools to effectively adapt to this new demand. 

Adapting technology and logistics

Through technology, control state agencies can take advantage of e-commerce and curbside pickup sales channels, to drive more revenue. We recommend control states consider the following: 

Define the current capabilities to support an online sales strategy

An important first step is to define how to address constituents’ evolving needs as compared to the current e-commerce capabilities control state agencies can support. Considerations include:

• Are current staff capable of developing and supporting new website capabilities to meet the increased demand on the website?  
• How will the current customer support team(s) expand to support concerns from the new channels?
• How will new e-commerce order volume be fulfilled for home delivery (including order errors, breakage, returns, etc.)?   

Control state agencies should complete current and future state assessments in each area above to confirm what capabilities they have today and which they would like to have in the future; which will allow for an accurate gap analysis and comparison to their future state needs. Once the current state assessment, future state strategy, and gap analysis are complete, control state agencies can define the projects required to support the future state requirements. 

Reevaluate existing fulfillment, inventory, and distribution processes

Each control state has existing product fulfillment, inventory and distribution processes, and information technology (IT) tools for delivering alcohol, to their own or licensed retail stores and businesses. These current processes and IT systems should be assessed as part of the current state capabilities assessment mentioned above, to help define the level of change needed to support the control state agency’s future needs in the e-commerce channel. Key assessment questions control state agencies should ask themselves include: 

• Can the current IT systems (e.g., inventory management, customer relationship management [CRM], customer support/call center, financial, point of sale [POS], and website infrastructure) support required upgrades?
• Can retail teams and today’s infrastructure support order taking, inventory, fulfillment, and buy online pickup in store programs?
• How will warehouse and retail stores track and manage the e-commerce shipments and returns related to this channel?
• If home delivery is part of the strategy, define how the delivery logistics will be met through state or vendor resources.
• What staffing model and skill sets will support future business needs?
• What is the total cost of ownership for these new e-commerce capabilities so that the short and long-term costs and profits can be accurately estimated? 

The answers to these questions will help to inform a future e-commerce strategy and accommodate the cost and staff impacts. 

Bring in online retail expertise

It is important to ensure that the control state agency has website and mobile capabilities to support today’s consumer needs. This includes the ability to order a wide range of products online for either home delivery or buy online pickup in store. The design of the website and mobile transactional capabilities is critically important to the success of this channel, the true growth in revenues. Being marketing focused (e.g., allowing consumers to view and order products, save items for later, and see similar products) will help drive traffic and sales on this upgraded channel. 

For control state agencies with a more static product website, consider purchasing a commercial off-the-shelf (COTS) e-commerce product with existing retail-focused website features, or contract with a vendor to build a website that meets more unique needs. The control state agency should bring in at least one online retail subject matter expert vendor to help set the direction, design the upgrades or new site, manage the project(s) needed to implement the online capabilities, and potentially manage the operational support of the website and mobile solution.

BerryDunn provides state alcoholic beverage control boards and commissions with many services along the IT system acquisition lifecycle, including planning, needs assessment, business process analysis, request for proposal (RFP) development, requirements development, technology contract development, and project management services. 

For the full list of steps to consider and to learn more about how you can successfully position your control state agency to adapt to the changing alcoholic beverage landscape, contact us.
 

Read this if you are a hospital or healthcare organization that has received Provider Relief Funds. 

The long-awaited Provider Relief Fund (PRF) Reporting Portal (the Portal) opened to providers on January 15, 2021. Unfortunately, the Portal is currently only open for the registration of providers. The home page for the Portal has information on what documentation is needed for registration as well as other frequently asked questions.

We recommend taking the time to review what is needed and register as soon as possible. Health Resources & Services Administration (HRSA) has suggested the registration process will take approximately 20 minutes and must be completed in one session. The good news is providers will not need to keep checking the Portal to see when additional data can be entered as the Portal home page states that registered providers will be notified when they should re-enter the portal to report on the use of PRF funds.

Access the portal

The Provider Relief Fund (PRF) Reporting Portal is only compatible with the most current stable version of Edge, Chrome and Mozilla Firefox.

Read this if you are at a rural health clinic or are considering developing one.

Section 130 of H.R. 133, the Consolidated Appropriations Act of 2021 (Covid Relief Package) has become law. The law includes the most comprehensive reforms of the Medicare RHC payment methodology since the mid-1990s. Aimed at providing a payment increase to capped RHCs (freestanding and provider-based RHCs attached to hospitals greater than 50 beds), the provisions will simultaneously narrow the payment gap between capped and non-capped RHCs.

This will not obtain full “site neutrality” in payment, a goal of CMS and the Trump administration, but the new provisions will help maintain budget neutrality with savings derived from previously uncapped RHCs funding the increase to capped providers and other Medicare payment mechanisms.

Highlights of the Section 130 provision:

• The limit paid to freestanding RHCs and those attached to hospitals greater than 50 beds will increase to $100 beginning April 1, 2021 and escalate to $190 by 2028.
• Any RHC, both freestanding and provider-based, will be deemed “new” if certified after 12/31/19 and subject to the new per-visit cap.
• Grandfathering would be in place for uncapped provider-based RHCs in existence as of 12/31/19. These providers would receive their current All-Inclusive Rate (AIR) adjusted annually for MEI (Medicare Economic Index) or their actual costs for the year.

If you have any questions about your specific situation, please contact us. We’re here to help.

Read this if you are a CFO, CEO, COO, or CLO at a financial institution.

The preparation of financial statements by financial institutions involves a number of accounting estimates, some of which can be quite complex. As these estimates are often a significant focus of audits of those financial statements, financial institution personnel affected by the audit process might benefit from a discussion of the rules auditors need to follow when auditing estimates.

Accounting estimates

Across all industries, there are financial statement items that require a degree of estimation because they cannot be measured precisely. These amounts, called accounting estimates, are determined using a wide array of information available to management. In using such information to arrive at the estimates, a degree of estimation uncertainty exists, which has a direct effect on the risks of material misstatement of the resulting accounting estimates. For financial institutions, common examples of accounting estimates include the allowance for loan losses, valuation of investment securities, allocation of the purchase price in a bank or branch acquisition, and depreciation and amortization of premises and equipment, in addition to intangibles and goodwill. 

For entities other than public companies, the auditing rules are established by the American Institute of Certified Public Accountants’ Auditing Standards Board (ASB). Under these requirements a financial statement auditor has a responsibility to assess the risks of material misstatement for accounting estimates by obtaining an understanding of the following items: 

• The requirements of generally accepted accounting principles (GAAP) relevant to accounting estimates, including related disclosures. 
• How management identifies those transactions, events, and conditions that may give rise to the need for accounting estimates to be recognized or disclosed in the financial statements. In obtaining this understanding, the auditor should make inquiries of management about changes in circumstances that may give rise to new, or the need to revise existing, accounting estimates. 
• How management makes the accounting estimates and the data on which they are based. 

This final item—determining how management has calculated the accounting estimate in question—includes the following specific aspects for the auditor to address:

• the method(s), including, when applicable, the model, used in making the accounting estimate; 
• relevant controls; 
• whether management has used a specialist; 
• the assumptions underlying the accounting estimates; 
• whether there has been or ought to have been a change from the prior period in the method(s) or assumption(s) for making the accounting estimates, and if so, why; and 
• if so, how management has assessed the effects of estimation uncertainty. 

Professional skepticism

When analyzing management’s assessment of the effects of estimation uncertainty, the auditor needs to apply professional skepticism to the accounting estimate by considering whether management considered alternative assumptions, and, if a range of assumptions was reasonable, how they determined the amount chosen was the most appropriate. If estimation uncertainty is determined to be high, this is one indicator to the auditor that estimation uncertainty may pose a significant risk of material misstatement. An identified significant risk requires the auditor to perform a test of controls and/or details during the audit; in other words, analytical procedures and testing performed in previous audits will not suffice. 

CECL considerations

For audits of financial institutions, including those that have implemented the FASB CECL standard as well as those still using the incurred loss method, the allowance for loan losses will likely be deemed a significant risk due to its materiality, estimation uncertainty, complexity, and sensitivity from a user’s perspective.   

Additional factors the auditor needs to consider include whether management performed a sensitivity analysis as part of its consideration of estimation uncertainty as described above, and whether management performed a lookback analysis to evaluate the previous process used. Auditors of accounting estimates are required to do at least a high-level lookback analysis to gain an understanding of any differences between previous estimates and actual results, and to assess the reliability of management’s process. 

Auditing estimate procedures

Procedures for auditing estimates include an evaluation of subsequent events, tests of management’s methodology, tests of controls, and, in some instances, preparation of an independent estimate by the auditor. Tests of management’s method and tests of controls, including auditing the design and implementation of controls, are the most practical and likely procedures to apply to audits of the allowance for loan losses at financial institutions, both under the current guidance and following adoption of the current expected credit loss (CECL) method under Financial Accounting Standards Board (FASB) Accounting Standards Update No. 2016-13, Financial Instruments – Credit Losses (Topic 326): Measurement of Credit Losses on Financial Instruments. As FASB has not prescribed a specific model, auditors must be prepared to tailor their procedures to address the facts and circumstances in place at each respective financial institution. 

In addition to auditing management’s estimate, auditors have the responsibility to audit related disclosures, including information about management’s methods and the model used, assumptions used in developing the estimate, and any other disclosures required by GAAP or necessary for a fair presentation of the financial statements. Throughout the audit process, auditors need to continue to exercise professional skepticism to consider what could have gone wrong during management’s process and to assess indicators of management bias, if any. 

For public companies, the Public Company Accounting Oversight Board (PCAOB) specifies auditors must evaluate both evidence that corroborates and evidence that contradicts management’s financial statement assertions in order to avoid confirmation bias. When considering the assessment of risks, as risk increases, the level of evidence obtained by the auditor should increase. As with audits of private companies, the auditor needs to consider whether the data is accurate, complete, and sufficiently precise and detailed to be used as audit evidence.

An added consideration under PCAOB rules is that the auditor is typically opining on the institution’s internal controls as well as its financial statements. This may restrict the results of control testing performed by parties independent of the function being tested from being used as audit evidence from a financial statement audit perspective. For financial institutions, this is often the case with independent loan review, since the loan review is considered part of the institution’s internal control upon which the auditor is opining. 

Supporting evidence

As with the incurred loss method, PCAOB auditing standards will require the auditor consider how much evidence is necessary to support the allowance for loan losses under CECL. All significant components of management’s allowance for loan losses estimate, including qualitative factors, will need to be supported by institution-specific data. If such data is unavailable (for example, because the institution introduces a new type of loan offering), the FASB standard indicates appropriate peer data may be acceptable. In such cases, management and the auditor may need to understand the controls in place at the vendor providing the peer data to determine its reliability. You may provide this information in the form of System and Organization Controls (commonly know as SOC1) reports of the vendor’s system.  

Recently, the International Auditing and Assurance Standards Board revised its auditing rules for estimates, with a goal of enhancing guidance regarding application of the basic audit risk model in the context of auditing estimates. The revised rules require that auditors must separately assess inherent and control risk when obtaining an understanding of controls, identifying and assessing risks, and designing and performing further audit procedures. The ASB seeks convergence of rules both internationally and domestically, and has therefore proposed changes to its requirements for auditing estimates to align with the IAASB revised rules. The ASB’s proposal on these changes indicated they would be effective beginning with audits of fiscal year ending December 31, 2022; the final effective date will be determined in conjunction with its issuance of the final rules.

The best CECL approach 

The best approach to take? Management should discuss planned changes to estimate the process with your auditors to get their perspective on best practices under CECL. Key areas to review in the discussion include documenting the decision-making process, key players involved, and the resulting review and approval process (especially for changes to methods or assumptions). Always retain copies of your final documentation for auditor review. If you would like more information, or have a specific question about your situation, please contact the team. We’re here to help. 

Read this if you would like a refresher of common-sense approaches to protect against fraud while working remotely.

Coronavirus (COVID-19) has imposed many challenges upon us physically, mentally, and financially. Directly or indirectly, we all are affected by the outbreak of this life-threatening disease. Anxious times like this provide perfect opportunities for fraudsters. The fraud triangle is a model commonly used to explain the three components that may cause someone to commit fraud when they occur together:

1. Financial pressure/motivation 
   In March 2020, the unemployment rate increased by 0.9 percent to 4.4 percent, and the number of unemployed persons rose by 1.4 million to 7.1 million.
2. Perceived opportunity to commit fraud 
   Many people are online all day, providing more opportunities for internet crime. People are also desperate for something, from masks and hand sanitizers to coronavirus immunization and cures, which do not yet exist. 
3. Rationalization 
   People use their physical, mental, or financial hardship to justify their unethical behaviors.

To combat the increasing coronavirus-related fraud and crime, the Department of Justice (DOJ) launched a national coronavirus fraud task force on March 23, 2020. It focuses on the detection, investigation, and prosecution of fraudulent activity, hoarding, and price gouging related to medical resources needed to respond to the coronavirus. US attorney’s offices are also forming local task forces where federal, state, and local law enforcement work together to combat the coronavirus related crimes. Things are changing fast, and the DOJ has daily updates on the task force activities. 

Increased awareness for increased threats

Given the increase in fraudulent activity during the COVID-19 outbreak, it’s important for employees now working from home to be aware of ways to protect themselves and their companies and prevent the spread of fraud. Here are some of the top COVID-19-related fraud schemes to be aware of. 

• Phishing emails regarding virus information, general financial relief, stimulus payments, and airline carrier refunds
• Fake charities requesting donations for illegitimate or non-existent organizations 
• Supply scams including fake shops, websites, social media accounts, and email addresses claiming to sell supplies in high demand but then never providing the supplies and keeping the money 
• Website and app scams that share COVID-19 related information and then insert malware that could compromise the device and your personal information
• Price gouging and hoarding of scarce products
• Robocalls or scammers asking for personal information or selling of testing, cures, and essential equipment
• Zoom bombing and teleconference hacking

If you have encountered suspicious activity listed above, please report it to the FBI’s Internet Crime Complaint Center.

Staying vigilant

To protect yourself from these threats, remember to use proper security measures and follow these tips provided by the Federal Bureau of Investigation (FBI) and DOJ:

• Verify the identity of the company, charity, or individual that attempts to contact you in regards to COVID-19.
• Do not send money to any business, charity, or individual requesting payments or donations in cash, by wire transfer, gift card, or through the mail. 
• Understand the features of your teleconference platform and utilize private meetings with a unique code or password that is not shared publicly.
• Do not open attachments or click links within emails from senders you do not recognize.
• Do not provide your username, password, date of birth, social security number, insurance information, financial data, or other personal information in response to an email or robocall.
• Always verify the web address of legitimate websites and manually type them into your browser.
• Check for misspellings or wrong domains within a link (for example, an address that should end in a ".gov" ends in .com" instead).

Stay aware, and stay informed. If you have specific concerns or questions, or would like more information, please contact our team. We’re here to help.