Affordable Care Act Reporting Software

The Biggest Challenges of Affordable Care Act Reporting

Written by Adam Miller, HR Compliance Manager, Passport Software, Inc.

Affordable Care Act

I’ve helped hundreds of Applicable Large Employers (ALEs) manage their Affordable Care Act requirements and file their 1094-C/1095-Cs. Though each had different reporting needs, the same question kept coming up…

How do I complete Part 2?

1095-C Part II
The original source: https://www.irs.gov/pub/irs-pdf/f1095c.pdf

Lines 14, 15, and 16 make up Part 2 of the 1095-C and provide details of an employer’s offer of coverage to a full-time employee. Knowing how to correctly complete this section is imperative for Affordable Care Act compliance and avoiding penalties.

Line 14—Use code 1E.

Choosing a line 14 code requires you to know three things:

  • Was coverage offered?
  • Did it meet minimum standards?
  • Was it available to the spouse and dependents?

Deciding on the best 1A-1K code to complete line 14 has one extra nuance, and it can save you hours of scrutiny: If a full-time employee is offered coverage and has the unconditional option to add their spouse and dependents to their plan, you may use the corresponding 1E code for all employees offered coverage—even those who are not married or do not have children. Since spouse or dependent coverage doesn’t need to meet any cost standards, there is little reason not to offer it.

With this allowance, most fully ACAcompliant companies will find they can use Line 14 code 1E for every 1095-C they submit, instead of 1B for single employees, 1C for single parents, and 1D for childless couples. Your life is already easier, isn’t it?

Line 15—Forget about Line 14.

This continues to be a very tough concept to nail down. The IRS wants to know: What is the monthly employee’s share of the least expensive, employee-only plan available to this person?

Let’s review each part of that statement.

  • Employee’s share—the employee’s remaining portion after the employer’s contribution.
  • Least expensive—the qualifying plan with the lowest monthly cost available, often referred to as bronze level. This is not what the employee is paying for a more comprehensive plan.
  • Employee only—One Person. Forget that on Line 14 you reported that the offer included the spouse/dependents. For the purposes of ACA reporting, it does not matter which plan an employee actually enrolls in, only what they could have chosen and what it would have cost them.

Line 16—What happened after Line 14?

It isn’t difficult to find that code 2C applies to employees who accept an offer of coverage, or that 2B is used for a part-time employee. Things start to get murky with code 2D. Code 2D refers to the variable-hour[i] employee who is in their Initial Measurement Period, also known as the Look-Back Method.

People start to panic when it comes to employees who were offered insurance but declined. In their 1095-C Instructions, the IRS wrote 1181 words describing all the Series 2 Codes in use. Nowhere does it say “Use code __ if the employee declined coverage.” In cases where you have made an a fully qualified offer which an employee has turned down, use whichever of 2F/2G/2H matches your method for calculating their income and ensuring affordability:

  • Use 2F if you look at W-2 Wages
  • Use 2G if you use the Federal Poverty Level
  • Use 2F if you look at the employee’s Rate of Pay

Congratulations…

Not only have you completed Part 2, but unless your company self-insures, you can bypass Part 3 completely!

What’s the next step?

Knowing how to correctly use the codes and contribution fields is fundamental, but organized tracking of ACA-related information throughout the year is equally important to save time and avoid penalties. A good, regularly maintained spreadsheet is a serviceable option for smaller ALEs with straightforward ACA reporting. For larger employers, or more complicated reporting, a specially designed software solution or service will reduce the compliance workload and help avoid penalties. A good one will help you accurately manage changing and editing data and even create the 1094-C/1095-C forms or electronic files.

Passport Software’s ACA Software and Services range from on-premise software to full year-round compliance management services. Our friendly service is fast and accurate, and our customers have given us great reviews. Our software is IRS-certified and we are IRS-approved to file on behalf of our clients.

Dealing with past years reporting troubles? We can help there, too.

Learn more about Passport Software’s ACA Software and Services, or call us at 800-969-7900.

[i] variable-hour refers to cases where it is unclear whether the employee will be comfortably above or below the 130 hour per month full-time threshold.

Form 1095-C
The original source: https://www.irs.gov/pub/irs-pdf/f1095c.pdf

About the Author:

Adam Miller

Adam Miller is the HR Compliance Manager at Passport Software, Inc. He designed their ACA Software and, as a support tech, he has helped hundreds of people with Affordable Care Act compliance and reporting.  Adam has a background in engineering, the service industry, and print, which makes him a technically proficient and friendly communicator for Passport Software.

Passport Software, Inc.

181 North Waukegan Rd, #200

Northfield, IL 60093

800-969-7900

If you want to share this article the reference to Adam Miller and The HR Tech Weekly® is obligatory.

Advertisements
Employee Data and GDPR. What You Need to Know | Featured Image

Employee Data and GDPR. What You Need to Know

Employee Data and GDPR. What You Need to Know | Main Image

Every organisation that processes personal data must comply with the new GDPR rules that take effect in May 2018. There are no exemptions based on a size or sector, no staggered dates for compliance and, based on the current performance of the body responsible for policing data protection legislation, a rock-solid guarantee that the new regulations will be enforced and, where companies fall short, fines imposed.

Those with HR and people responsibilities are, without a doubt, at the front line of GDPR compliance. They work with personal data all the time: in fact, their jobs could be said to rely on it.

As custodians of employee information, they’ll be the ones who will need to audit existing processes; validate their own security and that of third parties that they share HR information with such as HR software and payroll providers; take on at least some of the responsibility for compliance training and monitoring and equip themselves to report any data breaches involving employee data, as well as respond to ‘subject access requests’ from employees.

Where should you start?

For many HR teams getting to grips with GDPR is understandably daunting. Not least, because so much has been written about the higher standard of consent for processing personal data that the legislation requires – and the cost of getting it wrong.

At first glance, asking employees for consent seems reasonable. You may already let employees know why you ask them for personal information and what you use it for.

However, when it comes to collecting and processing employee data in the context of GDPR, a reading of the regulations indicates that the focus on consent is misleading and could, in fact, be damaging.

[Box out]

Under GDPR, consent is defining as meaning “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

In an employment context, relying on consent is problematic for three main reasons:

  1. It’s administratively complex. Since consent needs to be ‘specific’ and shown by a ‘clear affirmative action’. A catch all clause in an employment contract, or on the login screen to your HR software won’t cover it.
  2. It’s unlikely to be un-enforceable in law. In an employment relationship, demonstrating free consent is almost impossible since the relationship is not one between equals. By refusing consent, an employee may feel that they put their relationship with their employer in jeopardy.
  3. By asking an employee to give their consent to processing information, you may inadvertently give them stronger rights to have their details deleted. What would be the business implications if, for example, an employee demanded that you delete data about their absences (sickness or otherwise), performance, skills, perhaps even their address. It may seem unlikely, but it’s possible.

Legitimate business interest

Instead, HR should rely as far as possible on legitimate business interest. This should cover the data that is required to ensure the employer fulfil their contractual obligations to their employees. For example, to pay them, award paid time off, manage grievance or health and safety issues etc. It will also extend to issues relating to the effective running of the business, such as monitoring absences, performance reviews or skills audits (with a caveat in relation to automated decision making – which is also covered by GDPR).

Legitimate interest cannot be applied in all cases. For example, processing employee information related to wellness initiatives, while laudable, is likely to require consent, as is sharing personal data with third parties so they can market their services to your employees – however attractive the offer.

An essential first step for HR, therefore, is to audit and document employee information: what you gather and why, where you store it, how you ensure it is accurate and up to date and who you share it with. This forms the foundation for the other activities that HR – or someone else in the organisation – will need to address for GDPR compliance.

The ICO (Information Commissioner’s Office) has put together a handy 12-point plan for anyone with day to day responsibility for data protection, much of which is relevant to HR.

Beyond the data audit, top priorities for HR are likely to include: updates to privacy notices, review of current consent approaches, awareness and training activities, internal and partner data security reviews, processes for reporting data breaches and a cost-effective response to subject requests for information.

For HR teams making do with spreadsheets and paper-based files, GDPR may also provide the impetus to modernise personnel record keeping. In a side note to the legislation, the regulator recommends making use of employee self- service HR software, so that employees can both see, and where appropriate correct, the data their employer holds on them.

Consolidating HR information in a single, secure HR software system has other benefits for GDPR compliance. It’s generally easier to demonstrate that you have appropriate security in place if personnel records are held behind a secure login than in spreadsheets or office filing cabinets and approval workflows and audit capabilities make tracing and tracking infinitely easier than trawling through historic emails.

Although GDPR will not be in force until May 2018, the new regulations will have significant implications for the way that companies manage their HR data. HR need to start to prepare now.

Please note: this article is based on our understanding of the requirements of GDPR and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation.  You should refer to the legislation and, if in doubt, work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.


If you want to share this article the reference to Sue Lingard at Cezanne HR Software, and The HR Tech Weekly® is obligatory.

CEO’s Corner: Charlene Li on Technology and Employee Experience

Charlene Li

In the end of June 2017 CEO’s Corner post put a spotlight on Charlene Li, Principal Analyst at Altimeter (a Prophet Company) and keynote at this year’s HR TechXpo. Li supports leaders to thrive with disruption, primarily focusing on creating business strategies and developing leadership around digital, social, and emerging technologies. An analyst since 1999, and having seen business, society, and the world undergo seismic changes over the last 18 years, she’s driven to create research and thought leadership that helps to bring greater clarity and inspire audacious actions.

The interview is hosted by Greg Mortona corporate strategy and growth development specialist and Chief Executive Officer of the Northern California HR Association.

Q: You talk about the seismic changes that have recently occurred in the workplace. Besides the obvious impacts of technology, virtual work, and social media, what’s a change you are observing that most people are underestimating? 

A: One of the biggest overlooked opportunities is thinking about the employee experience, as opposed to employee engagement. Employee experience is when you look at a situation through the eyes of the employee, and focus on how the day-to-day experience creates a deeper relationship between the organization and employees. This is a significant shift for HR who must shift from managing transactions (recruiting, hiring, evaluations) and risk mitigation (training and compliance) to nurturing relationships. Technologies makes this easier but it’s only when technology fades into the background, and the relationship work comes forward, that the experience becomes a differentiator to the employee.

Q: What is the biggest takeaway you hope readers get from The Engaged Leader?[i]

A: Relationships form the foundation for leadership and I hope that by reading the book, people understand that digital channels must be part of the repertoire of skills leaders use to develop relationships. My hope is that readers are inspired to hit the pause button on their busy day and take a few minutes to reflect on how they need to be better engaged — even if it means simply listening to the people crucial to the achievement of their goals.

Q: We’re getting ready for our 2nd Annual HR TechXpo which last year was quite an exciting event showcasing the intersection of HR and Technology. You have talked to hundreds of providers, so are probably not easily wowed. What are one or two technological features you have seen in HR solutions that have knocked your socks off?

A: I’m excited to see SaaS-based strategy planning and execution tools getting traction in the market from companies like StrategyBlocks and Cascade. The software makes explicit and transparent the strategic plan of the organization, so that everyone across the organization is connected to the strategy. This means it’s clear how what you do every day impacts the long term strategy. It takes the idea of “connected workforce” and gives it a direction and objective, where the purpose of the connection is a strategic objective. This is exciting for HR because it ties together HR functions (workforce management, performance evaluation) and ties it directly to strategy and business outcomes.

You can find Charlene Li on LinkedIn and on Twitter.

You can find Greg Morton on LinkedIn or on Twitter.

[i] Charlene Li. The Engaged Leader: A Strategy for Your Digital Transformation – Wharton Digital Press, 2015

Banner HR TechXpo 2017

2nd Annual HR TechXpo will take place on August 25, 2017 in Hilton Union Square, San Francisco.

The HR Tech Weekly® readers get a free registration! Enter promo code hrtechweekly at time of checkout when you register here: http://hrtechxpo.com/register.

Please use #HRTechXpo to share the news about this exciting event showcasing the intersection of HR and Technology.

If you’d like to comment or have further questions for Charlene Li or Greg Morton, you are welcome to leave your reply here or post on social media adding #CEOCorner.


Source: CEO’s Corner: Charlene Li on Technology and Employee Experience

HR and Business Are Looking for Data Analytics and Insights

Stacey Browning, President of Paycor

Today our guest is Stacey Browning, President of Paycor.

Since 2001, Stacey has played an integral role in every aspect of Paycor’s operations. As president, she fosters collaboration across the business and ensures executional excellence in product development and service delivery.

Paycor is a trusted partner to more than 33,000 small and medium-sized businesses.Known for delivering modern, intuitive recruiting, HR and payroll solutions, Paycor partners with businesses to optimize their people management.

Paycor’s key areas of specialization include Payroll Management, Human Resources Solutions, Benefits Administration, Time & Attendance Solutions, Tax Filing & Compliance, Workers’​ Compensation and Employment Screening Service.

Recently Paycor announced Workforce Insights, a new data visualization solution that extracts rich and actionable insights from people data to bring valuable C-level and operational insights to key business stakeholders.

The interview is hosted by Alexey Mitkin, Founder, Publisher and Editor-in-Chief, The HR Tech Weekly® Online Media Co.

  1. Hi Stacey, and first of all thank you very much for this interview with The HR Tech Weekly®. Straight away, why you have developed Workforce Insights and how it will complement other Paycor products?

Our innovation is driven by uncovering ways to better serve our clients, and Workforce Insights is no exception. Last August we surveyed our clients about the features they wanted to see in future product releases. After reviewing more than 1,000 client responses, we found that the overwhelming majority were looking for data analytics and insights.

In addition to evaluating our client’s feedback, we also looked at industry trends that show HR professionals are striving to prove their strategic value to executives. One way we can help them is by organizing their key people data in a manner that helps with business execution.

For example, through the Workforce Insights overtime dashboard, information from our time platform is correlated to OSHA incidents reported on in our HR platform. Leaders can uncover safety thresholds exceeded by location, department or manager to home in on where a performance issue may be occurring.

  1. What key benefits and advantages does Workforce Insights have when compared with other tools on the market?

Most other tools on the market force standard charts and data visualization. Workforce Insights allows customers to view their data in the way that is most impactful for their unique business needs.

Another key differentiator is the one-click sharing functionality. Users can take their insights and share that information with the appropriate parties without having to import or export data. The custom reporting and one-click sharing allows users to not only have access to the data, but to make it meaningful and actionable.

  1. Why do you think small and medium-sized businesses need their own HR technology solutions?

Employees at small and medium-sized businesses (SMBs) are often forced to wear multiple hats, and sometimes that even means taking on responsibilities like payroll. HR technology solutions help relieve the administrative burden of payroll and benefits while ensuring reliability and security, while also protecting against the risk of compliance infractions.

What Paycor offers seems to be what’s desired most by SMBs – a platform or suite of functionality at the right per-employee-per-transaction and per-month price point that doesn’t require a customization. A solution that can be implemented and have value derived in three days to three months, and that can adapt with them as their organization grows.

  1. Paycor has run its operations since 1990. How have your clients needs during this period changed, and what is the secret sauce for long-term success?

Since 1990, the technological needs of our clients have changed dramatically. In 1990 computers were large and expensive, “the cloud” didn’t exist, and phones were connected to a landline or, for a select few, in a bag in your car. Since then, clients have had to react to the demands of their workforce; faster access from any device, and our products have had to evolve accordingly.

Our secret sauce for long-term success may be the only thing that has remained the same since 1990 – putting our clients first. We were founded because our CEO believed there was a better way to serve the needs of our clients, and it’s that passion that still drives us today.

  1. Achievements in big-time sports are based on grassroots sports. What can you recommend to HR Tech startups on how to get into the highest league?

The energy around new HR tech offerings through start-ups informs the entire industry. For some of these startups, success looks like being acquired into a larger company and human capital offering. For those wanting to progress into a higher league more independently, I recommend having an openness to partnerships and distribution options, and feedback to the offering itself. The best emerging technologies in HR are built and market-tested quickly.

  1. Since its founding, Paycor has grown to 1,460 people onboard. What do newbies need to know about the company in order to have a successful career with you?

First, excel at the job you are given, and then look for ways to take on more responsibility. It can be dangerous to be too eager to move to the next level without first nailing the task you are given. At the same time, becoming complacent doesn’t allow you to be a change agent in the organization.

To take on that next challenge and excel to the next level it is critically important that associates know and own their personal brand. Your personal brand is what people say about you when you leave the room. Think about the impression you want to leave, and make it.


If you want to share this interview the reference to Stacey BrowningPaycor and The HR Tech Weekly® is obligatory.

HR Outsourcing May Steady the Path to Success

business-man-and-woman-handshake-in-work-office-picjumbo-com

For years, HR outsourcing (HRO) has begrudgingly worn a label of dedication to small businesses. Yes, there are incredible merits for small businesses within this stereotype, however the advantages of an outsourced Human Resources department show benefits for organizations of all sizes.

Recent statistics have pulled back the curtains to reveal increased reliance on HROs for business-related tasks. A global Deloitte study found that more than 35 percent of respondents already measure the value of their HRO, with another 32% planning increases in Human Resources over the next year.

And while some attribute Human Resource outsourcing to small business ventures, the industry is exploding. Outsourcing firms are expected to generate $53.9 billion in business by 2020.

The figures are clear, but for business owners thinking of making the shift, the advantages must offer total compliance satisfaction in order for the investment to pay dividends. If leaders can trust an outsourcing firm to manage daily tasks, long-term strategic goals can take center stage to focus on the business’s long term growth and needs.

So why are more organizations outsourcing the functions of HR, and is it truly achieving the goals it sets to satisfy?

HROs Reduce Company Risk

Over the past decade, workplace case complexity has increased almost across the board. Especially for startups and small businesses, the resources exhausted throughout workplace investigations quickly become overwhelming. HR professionals, likewise, are not experts in all fields of law and sometimes untrained to handle complex caseloads.

A HRO mitigates these risks by remaining up-to-date on all local, state, and federal regulations the organization must comply with. Likewise, they have the benefit of conducting unbiased, thorough, and timely investigations that reach clear conclusions and move the organization beyond the situation.

Although HR is not directly a profit center for businesses, it does minimize risk, create better efficiencies, and save money from being lost or spent unnecessarily. So even though HR might not be bringing in revenue, it can directly help with keeping more profit for the company.

Because minor oversights can cause costly delay, or worse, litigation, it is important for organizations to trust their workplace investigations with HR professionals who are experts in the field of risk mitigation and fair procedures.

HROs Meet Compliance Standards

A must for organizations of all sizes, compliance standards have the nasty habit of constant updates and overhauls, delays and reversals. It is imperative that businesses keep up-to-date with all standards expected within their industry and state–which can become overwhelming for an HR team already overloaded with important tasks.

But compliance means more than regulatory satisfaction. HR compliance is an umbrella term that may include things like cultural obligations, the ACA, licenses, collective bargaining, separation, and a slew of other considerations.

And organizations aren’t just worried about keeping up, they’re also tasked with recognizing any variances between their own policies and applicable laws.

Typically, the HRO chosen immediately focuses on compliance standards and potential issues, reducing risk and assuring satisfaction. Their goal is to provide a strategy that replaces any potentially damaging policies and reviews your policy regularly in line with updates to law.

Without this burden, organizations are freed from surrendering in-house time and resources to keeping up with regularly changing laws and reviewing their policies.

HROs Prove Financially Beneficial

Especially for smaller businesses (it’s a hard-to-shake label), a HRO is simply more cost-effective than hiring a full-time, in-house HR professional.

For companies of all sizes, there are smaller benefits that HR outsourcing brings with it. More office space without an HR team allows the organization to grow in workforce without concern for office overpopulation. In fact, a recent Deloitte study found that of those surveyed, a healthy 47 percent chose to outsource based on its solution to capacity issues.

Efficiency and productivity are influenced by office design, and outsourcing HR satisfies the conditions for a more efficient, productive workspace.

HROs Provide More Affordable Group Rates

Healthcare affordability is a top concern for employees. Not only that, but those who receive affordable health care coverage through their employer are more likely to find satisfaction in the job. Prudential Financial Inc found that 46% of employers were either outsourcing or looking to outsource the requirements of the ACA.

Because HROs work with many companies, they can take advantage of reduced bulk pricing. For small and large businesses, this provides quality coverage for employees at lower costs.

The advantages of an HRO for group rates extends beyond the coverage employees receive. Because of the ever-changing ACA requirements, with sweeping changes on the way, administrative costs are cut sifting through constant updates.

For organizations with an HR team, outsourcing health care oversight to an HRO minimizes the burden on HR while preventing easily-made mistakes.

HROs Strengthen Recruiting Methods

As companies turn to more strategic, aggressive recruiting methods, outsourcing this HR function has become more widely popular. Organizations are “becoming increasingly inventive to attract and retain valuable candidates”, Byrne Mulrooney told SHRM earlier in 2016.

Because many HR teams are unequipped to attract top talent in a way larger organizations can, the task is being outsourced to companies specializing in the field, like Mulrooney’s. When combined with bolstered benefits, appeal to organizations outsourcing these functions is elevated on a budget.

Choosing one or more HR function to outsource is smart organizational planning. Freeing up resources and time to focus on the growth of the company allows leaders to plan for long-term growth and goals. As the industry continues to grow, it will undoubtedly change the roles of internal HR teams, aligning them with more strategic functions over day-to-day tasks.


If you want to share this article the reference to Todd Giannattasio and The HR Tech Weekly® is obligatory.

How to Survive a Management Audit

How would you fare if auditors walked in the door tomorrow morning and started scrutinizing all your processes, policies and procedures? Here are descriptions of several types of audits and four tips for making your management audit less stressful.

This is a test. Which of the following are common occurrences during IT Management Audits?

1. Staff members quit.

2. Staff members break down in tears in front of the consultants.

3. Staff members fly into a screaming rage at the consultants.

4. Staff members lie to the consultants.

5. Staff members refuse to cooperate.

6. All of the above.

If you selected item 6, you get a gold star! There is no reason for any of these behaviors but they occur all too often, especially in organizations in which audits are not routine events. The consultants are there to identify problems and help improve operations. They wouldn’t have been hired if everything was peachy keen, but Information Technology management and staff members rarely see it from this perspective. Identifying the problem is the first step to recovery. All Information Technology organizations should be managed as if an audit is imminent. How would you fare if auditors walked in the door tomorrow morning?

Why are you being audited?

There are many reasons for conducting audits, but following are the four I encounter most often.

Regulatory compliance audits

In market sectors such as Financial, Behavioral Health, Medical, and Pharmaceutical, periodic audits are the norm and the guidelines are clear. In any given year, a Behavioral Health clinic in NY State, for instance may be required to undergo 4 separate audits including Medicaid, HIPAA, OMH (Office of Mental Health), and OASAS (Office of Alcohol and Substance Abuse Services). In many of these cases, the auditors show up unannounced or on very short notice.

Compliance audits aren’t technically management audits, but the scores on such audits are certainly a direct reflection of management’s performance. Would your policies, practices, procedures, and documentation measure up to the scrutiny to which a Behavioral Health clinic is subjected?

Performance audits or ‘What’s wrong with our IT operation?’

Often, members of the IT management and staff think they are doing a spectacular job but the customers and executive management disagree vehemently. In the worst cases, end users are preparing their pitchforks and torches in case the audit doesn’t bring about some positive performance outcomes. These audits are tough; the IT staff is defensive and they all assume that the consultants are there to fire them. Sometimes, the hostility reaches levels that make me feel like Patrick Swayze’s character, Dalton in the 1989 movie Road House. I have been accused of cherry-picking information, interrogation, and cross examination and I have been screamed at in front of a large audience. The truth is, I am simply researching a complex problem and I will work diligently to provide answers to the people who are paying me to do so.

During these audits, employees sometimes resign even before the final report is released. This is unfortunate because poor performance is a reflection of management rather than staff. At other times, excellent employees leave because they have had their fill of ineffective management. Frustrations become bitter tears dripping on the conference room table, even from managers.

New management

Sometimes, incoming executives want an X-Ray of organizational performance and requesting an audit is an intelligent professional move. They want a clear distinction between the previous management’s practices and their own and they use the final report to establish a program of organizational change.

IT is too expensive

Occasionally, IT audits are conducted because executive management considers the IT operation too expensive. They want an independent audit and a strategic plan that shows all the viable options.

4 tips for a lower stress audit

If the auditors are coming next week, there probably isn’t much you can do to improve the outcome, but there is plenty you can do to make the process more comfortable for everyone involved.

Answer binary questions with binary answers

When questions requiring a Yes or No answer are met with lengthy explanations, it is a clear indication of a problem. When I ask if you have documentation of your daily security log validation, just say yes or no! If you don’t have the required documentation, no amount of explanation is going the help. Also, I am not really interested that you are going to begin implementing your security program next month. Good for you, but I only care about what your actual practices are at the time I ask.

Don’t lie, embellish, or bury information

I always walk into audits and assessments taking a neutral, objective stance and I appreciate clients who don’t try to pre-program me. I will selectively ask for evidence or documentation for every statement you make and false statements will certainly damage your credibility. When subjects provide evasive or ambiguous answers, my inner Columbo puts on his trench coat. Equivocation and rationalization drive me to keep searching until I get the answer. Just tell the truth.

Instruct your staff to cooperate politely

I recall one compliance audit where a staff member served up every document request with a plate full of anger and hostility. The odd thing about it was that all her ducks were in a row, which is pretty unusual. So, why the anger? Don’t unleash it on the consultants.

I remember several engagements where the IT staff tried to tell me that their IP addressing schemes and Visio diagrams were secret. Huh? As soon as I retrieved my jaw from the floor, I went over their heads and arranged for delivery of the requested information. These events created suspicion and hostility that weren’t required.

In two organizations I contracted with, staff members claimed their Security Policies were secret! How does that work? These sorts of behaviors are indicators of significant departmental and organizational problems.

Prepare documentation in advance

All documentation including policies, procedures, infrastructure documentation, logs, hardware and software inventories, PSA system reports, etc. should be readily available for the consultants. They will ask to see it. I generally ask for all this information before I go on site for the first time and I am always appalled by the number of organizations that have none of the documents that are generally accepted to be components of a solid Information Technology Governance program. Sometimes these data dumps include reams of irrelevant information in the hope that I won’t find the smoking gun.

Auditing for organizational culture

I include a frank assessment of departmental and organizational culture in my reports and it is sometimes less than flattering. Delivering this information to executives and managers generally creates a tense silence while they try to chew and swallow that particularly tough piece of meat. They rarely argue because they know it’s true, but few have dared to state the obvious out loud. A realistic and objective assessment of company culture is required to address the root causes of problems. Bad management, inefficiency, malfeasance and incompetence have often been enabled for years before an audit is finally initiated. Interdepartmental politics, turf wars, jealousy, meddling and backstabbing all contribute to the problems at hand and managers throughout the organization are responsible.

In many cases, executives and managers have worked in large, bureaucratic organizations for their entire careers and they can’t see the signs of broken company culture. They think bad behavior and dysfunction are the norm.

The final report

If the final report is not a testimonial of glowing praise for your IT operation, I urge you to sit back and reflect carefully before lashing out. The report is a mixture of data, facts, and input from your coworkers and end users. I always base part of my conclusions on both formal and informal interviews with end users and managers from every department in an organization. What ends up in the report is a reflection of what your colleagues really think about your operation. My career started with a four-year stint in army intelligence and I actually do cross examine and interrogate. The natural inclination of some IT Directors is to argue and pick apart every statement and conclusion in the report, but this is definitely the wrong approach.

A nearby local government entity with which I am familiar recently received a failing audit from a state regulatory agency. It wasn’t a first-time fail and the endemic problems have been simmering for decades. Several executives from this entity made statements to the press that the audit “was a gotcha audit. It’s all about paperwork and there is nothing real here. We’re providing excellent services.” Talk about denial! I believe they will come to regret those statements since the infractions were extremely serious and they will likely have to return millions of dollars to Medicaid. They may call a missing signature “a gotcha,” but Medicaid calls it fraud. Their culture is so broken that they really need a turnaround expert and complete replacement of the management, but they haven’t reached rock bottom yet, apparently.

In recovery

The correct response to a failing audit is to contemplate the report carefully and develop a proactive remediation plan immediately. Humility may save your job, but you can’t step off onto the recovery road until you admit you have a problem.

Ask for help. Operations that have been dysfunctional for years can’t be turned around overnight. Organizational culture may inhibit a turnaround and objective, external assistance may be required.

Listen to what your colleagues and objective auditors had to say and take it seriously. Don’t go swimmin’ in denial.

This article was originally published in CIO as part of the IDG Contributor Network. Want to Join?

About the Author


Source: How to survive a management audit | CIO