Analytical procedures are a critical part of the audit process

During the pandemic, many audit procedures have been performed remotely, forcing auditors to rely more heavily on analytical procedures, such as trend, ratio, and regression analysis, than in the past. But so-called “analytics” isn’t a novel concept for auditors. They’ve been using analytics for decades to make audits more efficient and effective.

Audit analytics

The American Institute of Certified Public Accountants (AICPA) publishes guidance on using analytics during a financial statement audit. The auditing standards define analytical procedures as “evaluations of financial information through analysis of plausible relationships among both financial and non-financial data. Analytical procedures also encompass such investigation, as is necessary, of identified fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values by a significant amount.”

Auditors use analytics to understand or test financial statement relationships or balances. The type of procedures is customized, depending on the size and complexity of the company.

Five steps

When performing analytics, auditors generally follow this five-step process:

  1. Form an independent expectation based on the company and its industry
  2. Identify differences between expected and reported amounts
  3. Brainstorm all possible causes for the discrepancy
  4. Determine the most probable cause(s) for the discrepancy
  5. Evaluate discrepancies to determine the nature and extent of any additional auditing procedures

Any discrepancy is compared to the auditor’s threshold for analytical testing. If the difference is less than the threshold, the auditor generally accepts the recorded amount without further investigation and the analytical procedure is complete. If the difference is greater than the threshold, additional procedures may be needed.

A closer look

Additional investigation is required for significant fluctuations or relationships that are materially inconsistent with other relevant information or that differ from expected values. For differences above the threshold, the auditor will likely inquire about the reason.

Many discrepancies have “plausible” explanations, usually related to unusual transactions or events or accounting or business changes. Plausible explanations typically require corroborating audit evidence. For example, if a manufacturer’s gross margin seems off, the accounting department might explain that its supplier increased the price of raw materials. To corroborate that explanation, the auditor might confirm the price increase with its top supplier.

In some cases, a discrepancy may warrant more in-depth testing. Other times, the analytical test or the data itself is problematic, and the auditor needs to apply additional analytical procedures with more precise data.

For differences that are due to misstatement (rather than a plausible explanation), the auditor must decide whether the misstatement is material (individually or in the aggregate). Material misstatements typically require adjustments to the amount reported and may also necessitate additional audit procedures to determine the scope of the misstatement.

Creating a paper trail

Auditors document analytical procedures in audit work papers. These are the files the auditor creates to support their audit conclusions. In general, work papers document the procedures applied, tests performed, information obtained, and conclusions reached in the audit.

For each analytical procedure performed during the audit, the work papers will explain the factors considered when developing the expectation and how the expectation compares to the recorded amounts or ratios developed from recorded amounts. The auditor also must document the results of any additional auditing procedures — such as management inquiry, research, and testing — performed in response to significant unexpected discrepancies.

Help us help you

Analytical procedures can help make your audit less time-consuming and more effective at detecting errors and omissions. You can facilitate these procedures by forewarning your auditors about any recent changes to the company’s operations, accounting methods, or market conditions. This insight can help auditors develop more reliable expectations for analytical testing and identify plausible explanations for significant changes from the balance reported in prior periods.

In addition, now that you understand the role analytical procedures play in an audit, you can anticipate audit inquiries, prepare explanations, and compile supporting documents before the start of audit fieldwork. Contact a member of your KraftCPAs audit team for more information.

© 2021

Know where you stand with QuickBooks powerful Reports Center

Users of QuickBooks already know how it’s transformed their daily bookkeeping practices. Users can create sales forms like invoices quickly and find them when they need them. Customer and vendor records are organized and stored neatly for fast retrieval. And it’s easy to accept online payments, track inventory, and record billable time.

But if you’re not using QuickBooks’ built-in reports, you’re missing out on one of the software’s most powerful components. While you can look at lists of invoices, sales receipts, and payments, you can’t see in a few seconds who owes you money and how late they are in paying, for example. You’re not able to get an instant overview of who you owe. You can’t call up a customer’s history instantly, and it will take an enormous amount of time to see which of your items and services are selling and which aren’t.

These are just a few of the insights you get from using QuickBooks reports. Beyond learning about your company’s past and present financial states, you can make better business decisions that will improve your future.

Before you start

QuickBooks’ reports are exceptionally customizable, as you’ll see. But before you start creating them, you should see what your general report options are. Open the Edit menu and select Preferences, then Company Preferences (which only administrators can modify).

You’ll see that you can control your reports’ general settings. For example, some reports can be created on the basis of either Accrual or Cash. You can designate your preference here. Do you want the aging process to begin on the due date or transaction date? How much information should appear when Items or Accounts are displayed? What additional data should appear on your report pages (Report Title, Date Prepared, Report Basis, etc.)? You can specify your own Format or just accept the Default.

Note that Statement of Cash Flows is an advanced report, one we don’t recommend you try to modify or analyze on your own. We can help with that when the report is needed, which is usually monthly or quarterly.

When you’re done here, click OK.

Learn what’s there

The best way to familiarize yourself with the reports that QuickBooks offers is to open the Reports menu and click Report Center. The content here is divided by type (Customers & Receivables, Sales, Purchases, etc.). Click around these lists and use the icons in each box to Run the current report, get more Info on it, mark it as one of your Favorites, or view a Help file. You can choose the date range before you run it with your company’s own data.

Customizing your content

We mentioned before how customizable QuickBooks’ reports are. Customization options vary from report to report, but we’ll look at one example here. You’re likely to want to run Sales by Item Detail frequently to see what your most popular items are as well as what’s not doing so well. Find it in the Report Center by clicking the Sales tab, selecting it, and clicking Run. If you don’t have a lot of data in QuickBooks yet, open one of the sample files that came with the software (File | Open Previous Company).

With the report open, click Customize Report in the upper left corner and see that there are four tabs here. Click on each to see what your options are.

  • Display. Includes options like Report Date Range and Columns.
  • Filters. What cross-section of your QuickBooks data do you want to see? Choose a filter, and the middle column will change to reflect your options there. You can add and remove as many filters as you’d like.
  • Header/Footer. If you want to change the settings you established in Company Preferences, you can do so here.
  • Fonts & Numbers. Contains display options.

When you’ve finished customizing your report, click OK to create it. Your modified report format will not be saved unless you click Memorize and give it a name.

You can customize and run many QuickBooks reports yourself, or reach out to a KraftCPAs QuickBooks Professional for help understanding how QuickBooks reports can help you make better business decisions.

© 2021

Tennessee Jobs Tax Credit can be boon for businesses

The State of Tennessee offers lucrative tax credits for companies across the state, but many businesses fail to cash in on these opportunities.

One of the most common tax credits in Tennessee is the Jobs Tax Credit (JTC), which is a credit of $4,500 per new job made available for “qualified business enterprises” that add a certain amount of new full-time employees.

The credit is limited to 50% of the company’s current franchise and excise (F&E) tax liability. Any credit amount not utilized in the current year can be carried forward for 15 years.

Requirements

Qualified business enterprise: A “qualified business enterprise” is a business that is engaged in manufacturing, warehousing, distribution, processing, research and development, computer services, call centers, data centers, headquarters facilities, convention/trade show facilities, or aircraft repair service facilities in Tennessee. Businesses that promote high-skill, high-wage jobs in high-technology areas can also qualify for this credit.

Capital investment: To qualify for the JTC, the company must make a capital investment of $500,000 in real or tangible property in Tennessee.

Business plan: Companies must submit a business plan to the Department of Revenue before claiming the credit.

Full-time jobs: Each of the company’s new positions must be a “full-time job,” which is defined as a permanent position providing at least 37 1/2 hours of work per week, for at least 12 consecutive months. And the employee must receive the minimum healthcare benefits.

The counties in Tennessee are divided into one of four incentive tiers based on the economic conditions of the area. Tiers are updated annually, most recently July 1, 2021. The number of jobs and the time frame in which they must be created are determined by each county’s tier classification. The tiers are:

  • Tier 1 & 2: 25 net new full-time positions within a 36-month period
  • Tier 3: 20 net new full-time positions within a 60-month period
  • Tier 4: 10 net new full-time positions within a 60-month period

Expanded credit

An expanded credit is available for qualifying businesses located in “economically distressed” counties categorized as Tier 2, Tier 3, or Tier 4.

Based on the assigned tier of the county, the additional credit is allowed on an annual basis for the following time frames:

Tier 2: Additional three years at $4,500 per year with no carry forward

Tier 3 & 4: Additional five years at $4,500 per year with no carry forward

The expanded credit can be used to offset 100% of the taxpayer’s F&E tax liability for that year. This portion of the credit does not carry forward beyond the year in which the credit originated.

Most Middle Tennessee counties — Cheatham, Davidson, Dickson, Maury, Montgomery, Robertson, Rutherford, Sumner, Williamson, and Wilson — are classified as Tier 1. Click here to see the full map of Tennessee counties.

If you’d like to discuss your company’s potential to take advantage of the JTC or other tax credits, please reach out to a KraftCPAs professional.

© 2021

How to protect your data in QuickBooks

After the unprecedented year we’ve just experienced, the last thing you need is to have your accounting data compromised or stolen. It would be impossible to reconstruct your QuickBooks file from scratch, and you can’t afford to have a hacker steal any of your funds.

There are multiple steps you can take to protect yourself from threats, both internal and external. QuickBooks itself offers some safeguards. Strong company policies can also help safeguard against data theft or destruction. And some of your security guidelines should just come from using common sense.

Here’s a look at what you can do.

Keep your systems safe

There are countless ways you can protect your data by maintaining the integrity of the computer that’s running QuickBooks. Some involve the same steps you would take to safeguard all the applications and information you have stored there. You should have reputable antivirus/anti-malware software installed. Use strong passwords. Keep up with system updates.

Updates and backup

QuickBooks’ own updates are critical, too. You can start these manually, but we recommend setting up automatic updates. Open the Help menu and click on Update QuickBooks Desktop. Click the Options tab to access this tool.

Frequent, safely stored backups are another essential element of overall data security. If your system is compromised by an intruder, you’ll need to be able to restore your most recent QuickBooks file when it’s safe again. Go to File | Back Up Company to set up either a local or an online backup. Use one of these tools at the end of any day you’ve entered anything on QuickBooks. We can help you with backup if you’re not sure how to do it.

Networks and smartphones

If you have multiple PCs that run on a network, it’s important to maintain that system’s health, too, since an intrusion at one workstation can affect everyone. You can do this by:

  • Discouraging employees from browsing the web excessively and downloading unnecessary software.
  • Encouraging responsible handling of emails (no clicking on unknown attachments, no personal email on work computers, etc.)
  • Installing network monitoring software or hiring a managed IT service that only charges when you need them.

Do your employees have company-issued smartphones? Make sure their security systems are sound. Set policies to protect them. For example, tell employees they should never use them on a public wi-fi network or install personal apps on them.

Internal fraud possible

No business owners anticipate that their own employees would steal from them. But it happens, and it can do tremendous financial damage. Minimize your chances of being victimized by limiting the access that employees have to sensitive information.

Go to Company | Set Up Users and Passwords, then click Set Up Users. You should be listed there as the Admin. Click Add User and supply a username and password. If you’re not sure how many users are supported on your license or need to add more, contact us. Click Next and then click the button in front of Selected areas of QuickBooks. Click Next again. On the next several screens, you’ll designate that user’s access in areas including Purchases and Accounts Payable and Checking and Credit Cards. When you come to the end of the wizard, click Finish.

You might consider running a background check when you hire someone who will have access to QuickBooks. It’s become a more common business practice.

QuickBooks provides additional tools that can be helpful in tracking down suspicious activity. You can view the Audit Trail, for one. Go to Reports | Accountant & Taxes | Audit Trail. This report displays a comprehensive list of transactions that have been entered and/or modified.

There are other reports that may be helpful, like Missing Checks, Voided/Deleted Transactions, and Purchases By Vendor.

A never-ending process

It’s so easy to get caught up in the daily work of running your business that you forget to take the steps required to keep your QuickBooks data — and all your computer hardware and software — safe. We get that.

Further, you might think that you’re an unlikely target because you’re a small business. Hackers count on you thinking that, though the reality is that you don’t have to be a big corporation to be the victim of cybercrime. Whether or not criminals get access to your funds, they can do a lot of damage that will end up costing you more time and money than you might think.

It’s important to stay vigilant. Security should be considered whenever you deal with financial transactions – especially where the internet is involved. If we can be of assistance as you set up safeguards and company policies, let us know. As always, reach out to KraftCPAs for answers to any questions you might have about QuickBooks operations.

© 2021

Sustainable credibility plays key role in internal audit’s value

For internal auditors, knowing how the audited organization (i.e., board members, audit committee members, management) defines value is one of the most important, yet most challenging, aspects of the profession.

Auditors routinely issue reports that include findings and recommendations related to user provisioning, formalized policies and procedures, undocumented reviews, and outdated system patches. These are relevant internal control issues that need to be corrected but are commonplace and not shocking to audit committees. Recently, KraftCPAs presented an audit report that addressed a programming error in the company’s three-way match process. The error would allow a payment to be processed when there was a significant difference between the purchase order price and invoice price. During the presentation, the audit committee chair asked, “How did you find that?” with a sense of amazement. This is when you know you have provided value as an auditor.

Value is different for everyone and can change based on circumstances. Accordingly, there isn’t an instruction manual that can be followed to ensure that your internal audit function is delivering value. However, the Institute of Internal Auditors (IIA) provides a framework that can set a foundation for credibility and provide the conditions necessary to deliver value to the organization.

Credibility bridges the gap between those moments of value-added amazement and keeps your internal audit function relevant. The IIA’s Quality Assurance and Improvement Program (QAIP) is the framework that helps build and maintain that credibility.

The IIA’s International Standards for the Professional Practice of Internal Auditing (the Standards) establishes a road map for what the internal audit function should do. The QAIP, which is required by the Standards, is an ongoing program that provides a structure to increase the quality and value of internal audit services.  It includes an assessment of the efficiency and effectiveness of the Internal Audit function, along with compliance with the Standards. It also provides the information needed for improvement and gives the best opportunity to deliver value.

For most, when a defined set of standards developed by a recognized professional organization are followed, credibility is immediately established. Credibility is further reinforced if the organization is assessed by a third party and found to be compliant with those standards.

All internal audit organizations should have a QAIP, but it’s required for organizations that use the phrase “… conforms with the International Standards for the Professional Practice of Internal Auditing” in their audit reports or other information describing their audit services.

The Standards establish how the internal audit activity should be structured. They also establish the activities that should be performed in three core components: governance, professional practices, and communication. Activities from these core components are assessed as part of the QAIP. QAIP assessments consist of three elements as well: ongoing monitoring, periodic self-assessments, and external assessments.

Sustainability for the QAIP is obtained by developing processes and templates that are repeatable and enforce compliance with the Standards.

One component of a QAIP that seems to be the most daunting and keeps internal audit functions from fully complying with the Standards is the required assessment by an independent third party every five years. Yes, even auditors try to avoid being audited. This fear comes from a lack of preparation. There is no secret to how the external assessors will perform their assessment. In fact, the QAIP provides the framework to prepare an internal audit organization through a self-assessment using the guidance used by external assessors.

Beyond the structure provided by the QAIP, relationship building is the most important factor in an internal audit function’s quest for delivering value. Having the right relationships and aligning audit activities with the strategic goals of the organization can lead to those value-added moments. This is the only way value can truly be understood. Relationships can be built and maintained through annual risk assessments, seeking management feedback, communicating the results of audit activities, and offering to help.

Many years ago, KraftCPAs inherited an internal audit function that had lost the trust of management and the audit committee. There were many challenges, but the top priority was to build relationships, establish credibility, and cultivate trust. This was accomplished by seeking constant feedback from management and offering to help, instead of being critical of mistakes and minor issues. Over the years, the client offered a “thank you” many times for guidance through the development of new controls during the implementation of new processes or systems. The prior audit team frequently declined to help in those situations.

Implementing a QAIP can seem like an uphill task, but most Internal Audit functions are inherently doing most of the required activities. With just a little guidance and developing repeatable processes, any internal audit function can be successful. In fact, there is no mystery to how it works. The IIA provides all the guidance and tools necessary.

You know your QAIP is successful if the result of your external assessment is that the audit function “generally conforms” with the Standards, or, more importantly, the organization is seeking internal audit’s help and advice outside of routine audits.

If you need help establishing an internal audit function that adds value, your audit activity needs assistance establishing a QAIP, or your audit function needs an independent external assessment to demonstrate compliance with the Standards, KraftCPAs has the knowledge and experience to help.

© 2021

Good records are the key to trouble-free audits and deductions

If you operate a small business or starting a new one, you probably know you need to keep records of your income and expenses. In particular, you should carefully record your expenses to claim the full amount of the tax deductions to which you’re entitled. And you want to make sure you can defend the amounts reported on your tax returns if you’re ever audited by the IRS or state tax agencies.

Certain types of expenses, such as automobile, travel, meals, and office-at-home expenses, require special attention because they’re subject to special record keeping requirements or limitations on deductibility.

It’s interesting to note that there’s not one way to keep business records. In its publication “Starting a Business and Keeping Records,” the IRS states: “Except in a few cases, the law does not require any specific kind of records. You can choose any record keeping system suited to your business that clearly shows your income and expenses.”

That being said, many taxpayers don’t make the grade when it comes to record keeping. Here are three court cases to illustrate some of the issues.

Case No. 1: Without records, the IRS can reconstruct your income

If a taxpayer is audited and doesn’t have good records, the IRS can perform a “bank-deposits analysis” to reconstruct income. It assumes that all money deposited in accounts during a given period is taxable income. That’s what happened in the case of the business owner of a coin shop and precious metals business. The owner didn’t agree with the amount of income the IRS attributed to him after it conducted a bank-deposits analysis.

But the U.S. Tax Court noted that if the taxpayer kept adequate records, “he could have avoided the bank-deposits analysis altogether.” Because he didn’t, the court found the bank analysis was appropriate and the owner underreported his business income for the year. (TC Memo 2020-4)

Case No. 2: Expenses must be business-related

In another case, an independent insurance agent’s claims for a variety of business deductions were largely denied. The Tax Court found that he had documentation in the form of canceled checks and credit card statements that showed expenses were paid. But there was no proof of a business purpose.

For example, he made utility payments for natural gas, electricity, water, and sewer, but the records didn’t show whether the services were for his business or his home. (TC Memo 2020-25)

Case No. 3: No records could mean no deductions

In this case, married taxpayers were partners in a travel agency and owners of a marketing company. The IRS denied their deductions involving auto expenses, gifts, meals and travel because of insufficient documentation. The couple produced no evidence about the business purpose of gifts they had given. In addition, their credit card statements and other information didn’t detail the time, place, and business relationship for meal expenses or indicate that travel was conducted for business purposes.

“The disallowed deductions in this case are directly attributable to (the taxpayer’s) failure to maintain adequate records,” the court stated. (TC Memo 2020-7)

We can help

Contact us at KraftCPAs if you have questions or need assistance retaining adequate business records. Taking a meticulous, proactive approach to keeping records can protect your deductions and help make an audit much less painful.

© 2020

Know which filing status works best for you

For tax purposes, Dec. 31 means more than New Year’s Eve celebrations. It affects the filing status box that will be checked on your tax return for the year. When you file your return, you do so with one of five filing statuses, which depend in part on whether you’re married or unmarried on Dec. 31.

More than one filing status may apply, and you can use the one that saves the most tax. It’s also possible that your status options could change during the year.

Here are the filing statuses and who can claim them:

  1. Single. This status is generally used if you’re unmarried, divorced, or legally separated under a divorce or separate maintenance decree governed by state law.
  2. Married filing jointly. If you’re married, you can file a joint tax return with your spouse. If your spouse passes away, you can generally still file a joint return for that year.
  3. Married filing separately. As an alternative to filing jointly, married couples can choose to file separate tax returns. In some cases, this may result in less tax owed.
  4. Head of household. Certain unmarried taxpayers may qualify to use this status and potentially pay less tax. The special rules that apply are described below.
  5. Qualifying widow(er) with a dependent child. This may be used if your spouse died during one of the previous two years and you have a dependent child. Other conditions also apply.

Head of household status

Head of household status is generally more favorable than filing as a single taxpayer. To qualify, you must “maintain a household” that, for more than half the year, is the principal home of a “qualifying child” or other relative that you can claim as your dependent.

A “qualifying child” is defined as someone who:

  • lives in your home for more than half the year
  • is your child, stepchild, foster child, sibling, stepsibling, or a descendant of any of these
  • is under 19 years old or a student under age 24, and
  • doesn’t provide over half of his or her own support for the year

Different rules may apply if a child’s parents are divorced. Also, a child isn’t a “qualifying child” if he or she is married and files jointly or isn’t a U.S. citizen or resident.

Maintaining a household

For head of household filing status, you’re considered to maintain a household if you live in it for the tax year and pay more than half the cost of running it. This includes property taxes, mortgage interest, rent, utilities, property insurance, repairs, upkeep, and food consumed in the home. Don’t include medical care, clothing, education, life insurance, or transportation.

Under a special rule, you can qualify as head of household if you maintain a home for a parent of yours even if you don’t live with the parent. To qualify, you must be able to claim the parent as your dependent.

Marital status

You must generally be unmarried to claim head of household status. If you’re married, you must generally file as either married filing jointly or married filing separately, not as head of household. However, if you’ve lived apart from your spouse for the last six months of the year, a qualifying child lives with you, and you “maintain” the household, then you’re treated as unmarried. In this case, you may be able to qualify as head of household.

If you have questions about your filing status, please contact us at KraftCPAs.

© 2019

How to improve your healthcare facility’s medical device cybersecurity

Last year, medical device vendor Zoll was conducting what the organization saw as a routine migration of its servers. After what they referred to as a “data security incident” that occurred in either November or December 2018, they notified their 277,319 patients that their data had been compromised. The data included names, Social Security numbers, dates of birth, medical history, and other personally identifiable information.

All patient data was eventually secured, and no identity theft was reported as a result of the incident. But the very threat of more repercussions after the initial breach underlined the vulnerability of medical devices as cybersecurity threats continue to grow on a national level.

Cybersecurity is an emerging concern across all sectors. The healthcare sector may be one of the most vulnerable because so many of its components rely on cyber systems, such as the transfer of electronic personal health information as well as the maintenance, management, and operation of medical devices. That’s why it should be at the forefront of every healthcare facility’s list of threats to address.

Why you should care about medical device cybersecurity

There are a variety of cyber vulnerabilities that can impact medical devices, especially as these devices within a hospital or health system become more and more connected. A few types of vulnerabilities include, but are certainly not limited to:

Data breaches. Many medical devices contain sensitive patient data such as electronic health records. If exposed during a data breach, patient personal health information (PHI) can be used for nefarious purposes by a malicious actor.

Ransomware or malware attacks. With the onset of email phishing scams, medical devices have never been more vulnerable to a ransomware or malware attack. Ransomware attacks are when a medical device’s IT systems are corrupted by a malicious actor in return for a payment.

Interference with the medical care provided by devices. As more and more medical devices come online, the potential for the disruption of medical devices exists. This can lead to direct (and negative) consequences for patient care.

Outdated software. Some medical device manufacturers use old software without the latest security patches, in some cases prohibiting patching so as not to interfere with the device. This can leave devices vulnerable to cyberattacks or other unanticipated performance issues.

Methods for prevention

There are mechanisms for securing medical devices, and while they aren’t necessarily simple, there are basic, high-level best practices to improve the cyber hygiene of your facility’s devices.

Patch, patch, patch. Ensuring that your systems are up-to-date with the latest patches will give you the best chance of avoiding infection from ransomware or malware.

Incorporate cyber practices into your continuity of operations (COOP) procedures. Your facility has emergency response plans, checklists, and other types of guidance on how to best respond to disruptions or disasters. Ensure that medical device security incidents are incorporated into these plans. For example, if there is a data breach of one of your medical devices occurs, you should have documentation on the proper procedures for managing the breach.

Educate your staff. Having a response plan documented is only valuable if you have staff trained on the ability to execute the instructions. Emphasize the importance of good cybersecurity practices with your staff, the importance of maintaining them, and hold training on how to do so.

Maintaining proper cyber health for your facility’s devices is a critical yet daunting task. Luckily, there are resources available to help hospitals and other healthcare facilities do just that.

FDA resources

The U.S. Food and Drug Administration is the lead within the federal government for medical device cybersecurity. They offer multiple information resources to assist healthcare facilities, including:

FDA Website on Cybersecurity. This website provides a high-level overview of medical device cybersecurity from the FDA perspective.

The FDA’s Role in Medical Device Cybersecurity. This fact sheet outlines FDA’s role in assisting with the national security of medical devices. It dispels several myths as well.

Interference with Pacemakers and Other Devices. This web page discusses how radiofrequency energy can interact with and potentially disrupt medical devices.

Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Released in October 2018, this document provides recommendations to the private sector regarding cybersecurity considerations to be included in premarket submissions for devices that are susceptible to cyberattacks.

Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software. This document outlines software maintenance to manage cyber vulnerabilities within medical devices.

Healthcare and Public Health Sector Partnership resources

The Healthcare and Public Health Sector Partnership consists of federal, state, local, and private sector healthcare representatives who collaborate with the U.S. Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS) to help secure healthcare and public health critical infrastructure. DHS includes cybersecurity within its definition of critical infrastructure. This group has a variety of resources dedicated to increasing awareness of medical device cybersecurity.

Medical Device and Health IT Joint Security Plan. This document developed by the Healthcare and Public Health Sector Coordinating Council’s Joint Cybersecurity Working Group is “a consensus-based total product lifecycle reference guide to developing, deploying, and supporting cyber secure technology solutions in the healthcare environment.”

Healthcare Industry Cybersecurity Practices. Also developed by the Joint Cybersecurity Working Group, this product is a four-volume document that outlines common cybersecurity threats and best practices. It offers a more holistic approach to addressing cybersecurity at a healthcare facility, of which medical device security is an important component.

The Healthcare and Public Health Sector Highlights – Cybersecurity Edition. This email newsletter, sent every Friday morning by the HHS Office of the Assistant Secretary for Preparedness and Response, includes links to reports, products, and webinars related to medical device cybersecurity. These emails include weekly reports and cyber threat briefings from the Healthcare Cybersecurity Coordination Center (HC3), HHS’s cybersecurity information sharing and analysis center. Many of these briefings include information on medical device cyber vulnerabilities.

Summary

Every hospital or healthcare facility needs to consider the cybersecurity of their medical devices as a major risk to its operation, but you can take steps to mitigate these risks through education and implementation of best practices. Using the resources outlined above is a good start to help make you and your staff more aware of this security issue.

For more information on how to improve the cybersecurity of your medical devices, contact us at Kraft Technology Group today.

This article originally appeared in the Nashville Medical News.

How strong are your company’s internal controls?

A solid system of internal controls translates into more reliable financial reporting and can help companies prevent, detect, and correct financial misstatements. In contrast, weak controls can result in costly errors — potentially even fraud.

Internal controls have become a hot-button issue for companies in the 21st century. If your company seems to be putting more hours into evaluating its control systems, it’s not alone. Many companies have spent more time assessing and improving internal controls in recent years.

The basics

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal controls should be “designed to provide reasonable assurance [of] the achievement of objectives in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations.”

COSO lists five components of internal controls:

  • control environment
  • risk assessment
  • control activities
  • information and communication
  • monitoring

Companies must continually review and improve internal control performance. AICPA auditing standards also require external auditors to evaluate their client’s internal controls as part of their audit risk assessment procedures. Private auditors tailor audit programs for potential risks of material misstatement, but they aren’t required to specifically perform procedures to identify control deficiencies — unless they’re hired to perform a separate internal control study.

Management letters

Statement on Auditing Standards (SAS) No. 115, Communicating Internal Control Related Matters Identified in an Audit, requires auditors to consider whether controls are sufficient to prevent and detect misstatement, as well as whether they enable management to correct misstatements in a timely manner. Under SAS 115, management letters must identify two types of deficiencies in internal controls unearthed during audit procedures:

  1. Material weaknesses. Such shortcomings refer to “a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis.”
  2. Significant deficiencies. This type of concern is “less severe than a material weakness, yet important enough to merit attention by those charged with governance.” Note that a control deficiency is dependent on the potential for misstatement; misstatement need not actually have occurred.

SAS 115 permits significant leeway in how auditors classify internal control weaknesses, such as lack of segregation of duties, inadequately trained accounting personnel, restated prior-period financial statements, and material audit adjustments.

When classifying deficiencies as material or significant, auditors evaluate the probability and magnitude of the potential misstatement. They also consider “compensating controls,” which are substitute procedures that limit the severity of a deficiency.

Public company SOX compliance

In addition to SAS 115, Section 404 of the Sarbanes-Oxley Act (SOX) requires a public company’s management to assess its internal control over financial reporting (ICFR). The provision also requires the company’s external auditor to attest to the effectiveness of management’s internal controls.

Last year, roughly half (51%) of the public companies in a survey by consulting firm Protiviti reported spending more time checking ICFR than they had in the previous fiscal year. Why? The main reasons reported are:

  • accounting standard changes (in particular, the new guidance on revenue recognition and reporting leases)
  • the use of technology (such as robotic process automation and artificial intelligence) that requires testing of new controls
  • rigorous inspections of controls by the Public Company Accounting Oversight Board (PCAOB)

Among the companies that reported an increase in their Section 404 compliance hours, 59% reported an increase of more than 10% over the prior year. Only 15% of the respondents reported a decrease in compliance hours. The increase in the time devoted to complying with Section 404 was more evident among larger companies than small ones.

Need help?

Internal controls are just as important for privately held companies as they are for publicly traded ones. In fact, smaller private companies are often less resilient to frauds caused by weak controls — and they also tend to have less-sophisticated internal audit and accounting departments than public companies.

Contact us at KraftCPAs if you need help understanding the recent changes to the accounting and tax rules. We can also help brainstorm cost-effective ways to improve your existing internal controls system.

© 2019

HIPAA, HITECH, and HITRUST

Any organization or business that handles health information or other sensitive data should be familiar with HIPAA, HITECH, and HITRUST requirements. Unfortunately, some entities and/or their employees view these “H-words” merely as suggestions or someone else’s responsibility. Others are confused by how these terms apply to them. If you’re already muttering, “What the H?” — this series is for you.

What the H? articles

What the H?

HIPAA, HITECH, and HITRUST: The Essentials of Healthcare Security Compliance

In Part 1, we explore the differences between these important acronyms, as well as how these concepts build upon each other to play a significant part in securing protected health information (PHI). Read the entire Nashville Medical News article – Part One.

How the H?

HIPAA, HITECH, and HITRUST: The Path to Compliance

“How do I get – and stay – compliant?” is the (potentially million-dollar) question facing any entity handling PHI. In this article, we outline the recommended path to compliance. Read the entire Nashville Medical News article – Part Two.

Why the H?

HIPAA, HITECH, and HITRUST: The importance of each for you and your consumers

Now that we know what these concepts mean and how to achieve compliance, we explore the reasons behind it all. Read the entire Nashville Medical News article – Part Three.

What the H? video

If you were unable to attend our What The H? HIPAA, HITECH, and HITRUST Seminar you can still watch the What the H? presentation video and the presentation slides.