"What do you mean, there is more to regulatory compliance than Medicaid or Medicare?”
“Why do these government enforcement agencies keep pestering us?”
“Don’t they know our budgets are tight and we don’t have time or money for self-policing ourselves?”
If you could be a fly on the wall, you could have heard the above questions and many more being asked by clients frequently over the past several years.
It is true that the federal Medicare program initiated regulatory-compliance audits several decades ago. In New York, the formation of the Office of the Medicaid Inspector General (OMIG) in 2005 significantly increased the expectation of government payers on regulatory compliance.
Medicaid spending is the single largest component of the New York State budget and represents a prominent budget item for the state’s counties. Medicaid is a jointly funded (federal, state, and county) program adopted by the legislature in 1965, along with the federal Medicare Program.
Here we are, roughly 50 years later, and 26 percent of New York State residents qualify for Medicaid assistance. At the same time, various estimates place annual fraud and abuse in New York’s Medicaid Program in the billions of dollars.
However, the purpose of this column is to expand the scope of compliance efforts in your organization to adequately cover increasing risks of noncompliance with many other government regulatory requirements.
As is often the case, please don’t shoot the messenger. The level, scope, and breadth of government regulatory auditing has increased dramatically just in the last five years.
Picture this. Your regulatory compliance program must now assess risk from the following enforcement agencies:
Internal Revenue Service (IRS); Department of Labor (DOL) – federal/ state; NYS sales tax; Office of Civil Rights (OCR); Single
Audit under OMB A-133 — federal Office of the Inspector General and various state funding sources; federal and state cost reporting — unallowable and questioned costs; New York Charities Bureau — fundraising regulations; information technology security/controls.
I could spend a column on each of the above areas. However, I believe that a brief example of risk in each of these regulatory areas will allow the reader to assess whether more should be done in your organization to implement corrective action.
Please consider the following in your annual compliance risk assessment process:
1) IRS. The IRS Form 990 was substantially revised in 2008. After allowing for nonprofits to become compliant over the past several years, it is now your responsibility to ensure that the answers to Form 990 questions are, in fact, being followed.
The IRS is stepping up its field audit of nonprofit Form 990s, with particular focus on the following areas:
a. Board oversight of executive-compensation/benefits
b. Section 4958 of the Internal Revenue Code
c. Disclosure and documentation regarding conflicts of interest
d. Compliance with IRS filing requirements; pay particular attention to Form 1099 — is the individual an independent contractor or employee?
e. Board governance and related party transactions. Are transactions recorded at fair market value?
f. DOL. If you have hourly employees eating lunch at their desks/cubicles, you may have a serious problem. If you have a unique paid time-off policy, you may have a serious overtime issue. Finally, do your “exempt” employees really qualify as managers/supervisors?
2) State sales tax. In the past several years, without question, the most significant increased scrutiny is of tax-exempt organizations. But, you might say, aren’t we tax-exempt? Not necessarily. Pay particular attention to your fundraising activities and any services you may provide to for-profit organizations or individuals. The sales-tax rules are complex. If you are not registered to receive sales-tax regulatory changes, I would strongly suggest you consider registering tomorrow.
3) OCR. Remember HIPAA, that legislation passed in 1996 that defined protected health information (PHI)? If your organization is responsible for maintaining the confidentiality of PHI for individuals served, please be sure that someone in your organization has primary responsibility for knowing and complying with these regulations. A brief visit to the OCR website will “open your eyes” about the substantial risks associated with fines and penalties for noncompliance.
4) A-133 single audit. This federal legislation, adopted indirectly by New York State, was originally passed in 1984. You would think after more than 25 years, all nonprofits would be as “clean as a whistle” regarding federal and state cost/grant reporting requirements.
Unfortunately, this is not the case, and increased enforcement of regulatory requirements has been the reality of the past five years. In order to assess your risk, ask your external auditors if and when their firm has been visited/audited by the federal Inspector General. If the answer is no, you must evaluate the firm’s expertise and qualifications to properly conduct a single audit in accordance with Yellow Book Standards.
5) Federal and state cost reporting. A risk area closely aligned with single audits. However, most cost reports are subject to specific requirements of the state funding source, as published in the New York Code of Rules and Regulations (NYCRR). If you do not have someone in your organization designated as the NYCRR monitor, assign this responsibility tomorrow.
6) NYS Charities Bureau. Virtually every nonprofit organization in New York State does some form of fundraising. Most organizations are registered with the New York State Charities Bureau, a division of the attorney general’s office. However, many organizations are relatively clueless about the rules and regulations governing fundraising events and activities. This is particularly true for raffles, games of chance, and fundraising in direct competition with for-profit entities.
7) Information-technology security/controls. Continued advances in technology, both from a cost and sophistication perspective, threaten the vast majority of tax-exempt organizations. This is particularly true for smaller nonprofits with annual budgets below $10 million. Number one on your risk assessment in the IT area is whether or not your network is adequately protected from outside unauthorized access (i.e., hackers).
There are myriad technology-related laws and regulations. Once again, I would recommend that you assess your internal IT capabilities and competence, as well as ask your external audit firm regarding its expertise in this area. The cliché, “What you don’t know, can’t hurt you,” definitely does not apply in the area of technology risk.
There you have it. One of the most important elements of an effective regulatory compliance program is your ability to identify and address risks where they do, in fact, exist. Use the list above, together with Medicare and Medicaid, for purposes of preparing and completing an annual compliance work plan for your organization.
Gerald J. Archibald, CPA, is a partner in charge of management advisory services at The Bonadio Group. Contact him at (585) 381-1000, or via email at firstname.lastname@example.org