cash flow management

Read this if you are responsible for cybersecurity or are a member of a board of directors for a company or a nonprofit organization.

I recently joined the board of directors of a local nonprofit organization that addresses homelessness and food insecurity in our community. While it is a larger, well-established organization, it still needed cybersecurity support. For me, it is a meaningful way to give back using my expertise while improving the risk posture and security practices of the organization. In my opinion, the most critical area any board of directors should be addressing, along with establishing and mitigating risk, is incident preparedness. The board should require and receive reports on incident management programs, and if they are in place, they should be tested on a frequent basis. 

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies and nonprofit organizations in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

For nonprofit boards, having an expert with cybersecurity skills as a board member may bring in needed guidance and expertise to an organization that may have limited resources, but is impacted by cybersecurity risks. It can be a valuable way to bring in advisory and oversight where it may be needed.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cybersecurity risks for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.

General

• What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
• Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
• Has the cyber risk management plan been tested?
• Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
• Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
• What percentage of our IT budget is dedicated to cybersecurity?
• Does that allocation conform to industry standards?
• Is it adequate based on our threat profile?
• What are the stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
• What is the interaction model between senior management and the board for communications regarding cybersecurity?
• Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

• How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
• Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
• Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

• Does the board play an active part in determining an organization’s cybersecurity strategy?
• What are the key elements of a good cybersecurity strategy?
• Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
• How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
• How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

• What are the potential cyber threats to the organization?
• Who is responsible for management oversight of cyber risk?
• Has a formal cyber assessment been performed? Does it need to be updated?
• Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
• What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
• Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

• Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology, and are those individuals empowered to carry out those responsibilities?
• Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
• Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others make it a direct or “dotted line” reporting to the CEO.)
• Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

• Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
• What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
• How effective are the organization’s risk management activities and controls identified in the assessment?
• Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
• Are there controls in place to ensure adequate, accurate, and timely reporting of cybersecurity-related content?
• How does the company remain apprised of laws and regulations and ensure compliance?
• What cloud services does our organization use and how risky are they?
• How are we protecting sensitive data? Do we know what types of data the organization maintains? 

Threat intelligence and collaboration

• What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
• Does our organization share threat intelligence with law enforcement?
• What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
• What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

• Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
• How regularly should a board obtain IT metric information?
• Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
• How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

• How does management validate the type and volume of cyber-attacks?
• Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
• How does an incident response and recovery plan fit into the overall cybersecurity strategy?
• Is the board’s response role clearly defined?
• Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
• Is there a culture of cyber awareness and reporting at all levels of the company?
• Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

• How does the board remain current on cybersecurity developments in the market and the regulatory environment?
• Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
• Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
• Are directors provided with educational opportunities in this area?
• Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

• Has oversight of cybersecurity reporting been defined for management and the board?
• Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise, and its oversight of cybersecurity risk being included within the financial statement and proxy disclosures?
• Does the company have a mechanism for timely reporting of material cybersecurity incidents?
• Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

Read this if you are a board member or responsible for providing CECL information to your board.

We’ve heard so much about Current Expected Credit Losses (CECL) in the past few years leading up to its adoption by all remaining financial institutions in recent calendar year-end financial statements. The focus has been, rightfully so, on its actual adoption—making sure policies and procedures are adjusted to appropriately account for the new standard and that financial statement disclosures comply with the new requirements. With year-end 2023 largely concluded, and people having had the chance to catch their breath, the focus understandably shifts to how best to optimize CECL for the long haul. Although we like to think the hard part (i.e., adoption) is behind us, which is certainly a reason to celebrate, there are questions that may need answers. One of those is figuring out how much CECL information should you provide to your board and how often.

We often get inspiration in answering this question from Goldilocks: not wanting to provide too much information but also not providing too little—you want to provide just enough. This means providing enough information so board members can knowledgeably assess the adequacy of the allowance and provide robust challenge while not getting so much information that they could, in theory, reperform the calculation themselves. Some items to consider including in your board communications are:

Key inputs and assumptions

There are likely many inputs and assumptions that go into your CECL calculation, all of which bear some impact on your overall allowance. You likely identified those inputs and assumptions that are most important to your calculation when implementing the standard. Best practice is to have documented these key inputs, assumptions, and management’s rationale for them in a model document, and include a monitoring schedule in your ACL policy for the  frequency in which they will be reviewed and updated— and under whose authority review and approval is required.

Of course, each period, any changes requiring board approval will need to be disclosed to the board. But as part of your ongoing disclosure to the board, consider providing an overall summary of key inputs and assumptions and highlighting any that shifted in the prior period. This may include prepayment speeds, forecasting models, forecast length, reversion length, and probability of default and loss given default, aging buckets. This summary could be in narrative form, but it may be more effective to provide it in a list: showing the inputs and assumptions period-over-period and explaining any significant changes. This will allow your board to quickly assess what has changed and effectively challenge those changes.

Analytics and trends

Analytics can be an effective tool in assessing your allowance calculation. We recommend incorporating analytics into management’s own review of the allowance calculation, as a final check before approving the calculation for the period. Many of these analytics could likely be recycled and provided to boards as part of your reporting. Some analytics to consider using are:

1. Changes in the allowance period-over-period, possibly broken up by financial asset type
   For instance, for financial institutions, the financial asset type could be its various loan portfolio segments. For commercial entities, it could be the age of the receivables. Set a variance threshold for any changes period-over-period and investigate those changes that meet this threshold. The resulting explanations can then be incorporated into your board reporting.
2. Charge-off trends
   Examine historical charge-off activity, looking for any significant changes over recent periods. Although recent charge-off activity may not be in direct correlation to your allowance levels, given the CECL requirement related to reasonable and supportable forecasts and the use of forward-looking information, recent trends in charge-off activity could prove to be useful information for boards. If there are significant differences in recent charge-off levels vs. your current allowance, this may beg an explanation as to why. Consider presenting your charge-off activity in the form of an analytic, such as charge-offs as a percentage of credit loss expense.

3. Delinquency trends
   Consider providing the board information on the payment status of your outstanding receivables, likely the largest financial asset subject to CECL. Past due buckets, for instance, segregating your receivables by days past due can be useful information for the board. Again, providing a period-over-period comparison can make the analysis that much more powerful. The usefulness of this information may vary, as it is possible past due status is an input into your allowance calculation or qualitative adjustment methodology. Thus, the way in which this analytic is discussed with your board will likely vary depending on your allowance calculation.

Peer comparison

One of the more challenging aspects to CECL is finding good comparisons. Because there is so much leeway given to adopters under CECL for how to construct their methodology, we advise that peer comparisons be used with caution. However, peer comparisons should not simply be ignored for this reason. Peer comparisons can provide valuable insights into how like-kind companies are approaching their allowance calculations and reserve-level expectations. The emphasis now is on determining which peers are truly like-kind to you in the context of CECL and covered financial assets. Again, peer results may vary significantly from your own company’s results, but such differences may lead to you and your board to consider if those are really your peers, or to challenge your own model outputs, inputs, and assumptions.

CECL or Allowance for Credit Losses (ACL) policies

Maintaining a CECL or Allowance for Credit Losses (ACL) policy is an important part of overall governance. This policy should not go into as much detail as other model development, design, and calculation procedural documents. But it should address governance roles and responsibilities, authority, and required model risk management activities and standards, in addition to ongoing monitoring and reporting. Review this policy on an annual basis and present it to the board for approval. This policy will also help dictate how much CECL information is provided to the board and will allow you to revisit how much information and what types of information are provided at least annually.

Finding that “just right” mix of information takes time and will vary depending on your company’s specific circumstances. Those companies in which their CECL calculation is a significant estimate will likely require more information than those companies in which CECL is less significant. Frequently ask your board if they feel as if they’re getting the right mix of information. Don’t be afraid to experiment with different reports and different levels of reporting. As always, if you have any questions or want some additional direction, please don’t hesitate to reach out to your BerryDunn team.

Read this if you are involved in recruiting board members.

Board members serve as the backbone of companies and organizations across industries. They provide direction, oversight, and strategic guidance. Selecting the right people to serve on your board is important for the success of your organization. Here are some things to consider as you look for board members that fit your needs.

• Identify and understand your needs
  Before initiating the recruitment process, identify the specific skills, experiences, and perspectives your board lacks or skills that could enhance board and organizational effectiveness. This can vary depending on what your board needs, but often includes financial acumen, legal knowledge, extensive management experience, and industry connections.
• Outline the roles, responsibilities, time commitments, and expectations
  Be transparent about your mission, values, and the challenges you face. This clarity will attract candidates who match your goals and can fully understand what they're signing up for.
• Reach out to your existing network
  Personal recommendations often yield high-quality candidates who are already familiar with your work and business. You could also consider spreading the word through company communications like newsletters and bulletins, social media, and events.
• Actively seek out candidates from different age groups, ethnicities, genders, professions, and geographic locations
  Diversity in background, perspective, and experience enriches discussions, fosters innovation, and ultimately better serves your organization. 
• Screen candidates thoroughly
  Implement a rigorous selection process to assess candidates' qualifications, commitment, and alignment with your values. Conduct interviews to gauge their passion for the business, leadership style, and ability to collaborate effectively. Consider requesting references and conducting background checks if deemed necessary.
• Provide orientation and training
  Once selected, provide comprehensive orientation and continuous training to new board members. Familiarize them with your history, programs, governance structure, and strategic priorities. Offer opportunities for professional development to enhance their effectiveness in fulfilling their roles.
• Engage the board
  Cultivate a culture of active participation, open communication, and accountability among board members. Encourage them to contribute their unique perspectives, skills, and networks to advance your goals. Establish expectations, evaluation mechanisms, and term limits to ensure accountability and prevent stagnation.
• Nurture a supportive and inclusive board culture where members feel valued and empowered
  Celebrate achievements, recognize contributions, and cultivate camaraderie through team-building activities and meaningful interactions.
• Regularly evaluate the effectiveness of your board composition, dynamics, and processes
  Solicit feedback from board members, staff, and stakeholders to identify areas for improvement and adaptation. Be willing to make necessary adjustments to ensure the board remains agile, responsive, and aligned with your evolving needs and goals.

By following these steps and approaches, your team can assemble a dynamic and dedicated board of directors equipped to navigate challenges, seize opportunities, and drive meaningful impact for your company or organization.
 

Read this if you are responsible for your company’s income tax provision and disclosures.

In December 2023, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) No. 2023-09, Income Taxes (Topic 740): Improvements to Income Tax Disclosures. Although this ASU does not impact the accounting for income taxes, it does impact the disclosures of such and is applicable to all entities subject to income taxes. According to the FASB, “the Board is issuing the amendments…to enhance the transparency and decision usefulness of income tax disclosures. Investors, lenders, creditors, and other allocators of capital indicated that the existing income tax disclosures should be enhanced to provide information to better assess how an entity’s operations and related tax risks and tax planning and operational opportunities affect its tax rate and prospects for future cash flows.”

The main components of the FASB’s ASU can be broken down into three areas, as done so in the ASU itself:

1. Rate Reconciliation
2. Income Taxes Paid
3. Other Disclosures

Rate Reconciliation

This amendment is only for public business entities. Public business entities have always been required to provide a rate reconciliation, reconciling income tax expense at the statutory rate to the entity’s effective tax rate. This rate reconciliation could be displayed in amounts or percentages. ASU No. 2023-09 requires this rate reconciliation be displayed in both amounts and percentages and also identifies the following specific categories that must be disclosed:

1. State and local income tax, net of federal (national) income tax effect
2. Foreign tax effects
3. Effect of changes in tax laws or rates enacted in the current period
4. Effect of cross-border tax laws
5. Tax credits
6. Changes in valuation allowances
7. Nontaxable or nondeductible items
8. Changes in unrecognized tax benefits

There is also a requirement that any reconciling item greater than 5% of the statutory income tax expense be separately disclosed, even if not one of the specific categories identified in the ASU. Furthermore, this 5% threshold applies to the cross-border tax laws, tax credits, and nontaxable or nondeductible items categories, meaning that if the reconciling item is within these categories and is above the 5% threshold, the item must be disaggregated by its nature. The 5% threshold also applies to the foreign tax effects category in that this category is required to be disaggregated by jurisdiction (country) and by nature if meeting the 5% threshold.

For example, let’s say an entity has research and development tax credits as well as energy-related tax credits, both of which are in excess of the 5% threshold. These tax credits would be required to be separately disclosed. However, let’s say tax credits in total are below the 5% threshold. In this case, tax credits would still need to be separately disclosed, as they are one of the specific categories identified in the ASU but would not need to be further disaggregated.

For the state and local category, a public business entity is required to provide a qualitative description of the states and local jurisdictions that make up the majority (greater than 50%) of the effect of the state and local income tax category. So, for instance, if the entity’s state and local tax is primarily derived from taxes to the States of Maine and Massachusetts, this fact must be disclosed.

Entities other than public business entities are required to qualitatively disclose specific categories of reconciling items and individual jurisdictions that result in a significant difference between the statutory tax rate and the effective tax rate. Paragraphs 740-10-55-232 and 55-233 provide an illustration of these disclosures.

Income Taxes Paid

All entities now must disclose:

1. The amount of income taxes paid (net of refunds received) disaggregated by federal (national), state, and foreign taxes
2. The amount of income taxes paid (net of refunds received) disaggregated by individual jurisdictions in which income taxes paid (net of refunds received) is equal to or greater than 5% of total income taxes paid (net of refunds received).

Other Disclosures

All entities now must disclose on an annual basis:

1. Income (or loss) from continuing operations before income tax expense (or benefit) disaggregated between domestic and foreign
2. Income tax expense (or benefit) from continuing operations disaggregated by federal (national), state, and foreign.

The ASU does eliminate the requirement for all entities to (1) disclose the nature and estimate of the range of the reasonably possible change in the unrecognized tax benefits balance in the next 12 months or (2) make a statement that an estimate of the range cannot be made.

This ASU is effective for public business entities for annual periods beginning after December 15, 2024. For entities other than public business entities, the ASU is effective for annual periods beginning after December 15, 2025. Early adoption is permitted. The ASU should be applied on a prospective basis although retrospective application is permitted.

The BerryDunn perspective

On the surface, this ASU may not seem important, as it only impacts disclosure. But the level of disaggregation required could make this ASU a time-consuming one to implement, especially for those entities that operate in many states and foreign jurisdictions. As indicated above, all entities now must disclose income tax expense and income taxes paid by federal, state, and foreign. This may require modifications to existing tax provision procedures to ensure this information is readily available come time to populate the income tax disclosures in your entity’s financial statements.

Conversations with those responsible for preparing the income tax provision should start now so the best process to accumulate the information needed for these new disclosures can be identified proactively, reducing, or possibly eliminating the amount of rework needed when it comes time to adopt this accounting standard. As always, please don’t hesitate to reach out to your BerryDunn team should you have questions.

Read this if your organization receives federal grants.

Navigating the ever-evolving landscape of federal grant management just got more manageable, as the Office of Management and Budget (OMB) has issued the latest revision of the Uniform Grants Guidance for 2024. It introduces several significant changes aimed at enhancing clarity, efficiency, and compliance in grant administration. The effective date for these changes is October 1, 2024. Here's a closer look at the most noteworthy updates.

Fixed amount awards and subawards

• The threshold for fixed-amount subawards requiring prior written approval from federal agencies has been raised from $250,000 to $500,000, providing recipients with increased flexibility.

Equipment-related thresholds

• The acquisition value threshold for defining equipment has been raised from $5,000 to $10,000, reducing administrative burdens for recipients. Similarly, the threshold for unused supplies has been increased from $5,000 to $10,000.

De minimis indirect cost rates 

• The de minimis rate for indirect costs has been increased from 10% to 15% of modified total direct costs (MTDC), providing recipients and subrecipients with greater flexibility in cost allocation.
• Recipients and subrecipients can opt for a lower de minimis rate than 15%.
• OMB has adjusted the exclusion threshold of subawards from $25,000 to $50,000 for modified total direct costs.

Single audit

• The threshold for mandatory single audits has been raised from $750,000 to $1 million in federal expenditures, reducing the audit burden on smaller recipients.

Additional updates of note:

Streamlined Notices of Funding Opportunity (NOFO)
The revised guidance is putting more emphasis on streamlining Notices of Funding Opportunity (NOFO). Federal agencies are encouraged to make NOFOs more concise, accessible, and transparent, ensuring that essential information is effectively communicated to potential applicants. By simplifying NOFOs and adopting plain language, agencies aim to reduce administrative burdens and enhance the accessibility of grant opportunities, particularly for underserved communities and organizations with limited capacity.

Enhanced data-driven decision-making
Under the new provisions, federal grant recipients are permitted to allocate a portion of their funding toward data management infrastructure, including the acquisition of software, tools, and technologies for data collection, analysis, and reporting. This investment in data infrastructure enables organizations to establish robust data systems, streamline data collection processes, and enhance data quality, ultimately facilitating evidence-based decision-making and program evaluation.

Conclusion

The Uniform Guidance 2024 changes introduce significant updates aimed at improving accessibility, streamlining processes, and promoting data-driven decision-making in federal grant management. As organizations strive to implement these revisions effectively, partnering with experienced consultants can provide invaluable support. Reach out to BerryDunn today if you have any questions about the new updates of your specific situation. We’re here to help.