Skip to Main Content


Gain perspectivesThought leadership


Read this if you work at a not-for-profit (NFP) organization.

BerryDunn’s annual Not-for-Profit (NFP) Recharge event highlighted a wide array of information to support the NFP industry sector. Each year, attendees are asked to identify their top concerns for their NFP organizations. This annual survey provides insight into the real-time concerns of nearly 200 nonprofit leaders from across the country. At Recharge 2024 (you can access presentations from the event here), survey results showed a continued trend by respondents to a financial stabilization focus. 

The 2024 survey results indicated financial stability was a top concern for 69% of respondents, with employment issues listed by 51% of the respondents. This is a switch from 2023, where employment issues held the top spot. 

This continued decline in concern for employment issues (down from a high of 78% from the 2022 survey) is remarkable in the current climate of relatively low unemployment, continued turnover within the industry, and Department of Labor changes to salary exemption rules for overtime.

Overall, the top four concerns for NFP industry leaders were:

Investment in technology

Despite the additional cost of technology investment, the increasing focus on technology (48% of respondents highlighted tech as a top concern) appears to be in recognition that doing nothing in the tech space can cost more (through wasted hours, increased security risks, etc.) than investing in technology. At Recharge 2024, we highlighted some of the trends, benefits, and risks of AI in the current environment.

Organizational development

Concerns around organizational development (a concern for 40% of respondents) seem to represent increased interest in strategic planning, NFP programmatic partnerships, retirement planning, and expanded ESG opportunities. In addition to the survey results and industry update, attendees of Recharge 2024 learned more about the renewable energy tax credit, updates within the accounting sector, trends and opportunities in artificial intelligence, and a fresh look at employee benefit plan opportunities. 

The nonprofit sector continues to move forward with an eye toward long-term stability with a mission focus and a cautious growth mindset. Please contact our NFP team with questions. We’re here to help.

Recharge 2024 event resources
Nonprofit Insights podcast and other resources

Top concerns for NFPs: 2024 Recharge attendee survey results

Read this if you work in finance at a renewable energy company.

The renewables industry includes some fairly unique accounting and financial reporting considerations that aren’t as common in other industries. It is important that the accounting function for these companies has an understanding of these concepts to avoid surprises when brought up by their financial auditor or a third party during due diligence. Here are a few of the more common issues we encounter when working with clients:

  • Company structure 
    The ownership structure for renewable energy projects can be somewhat complex, as they are typically modeled to direct certain tax benefits to investors. There may be issues with variable interest entities, and some structures provide percentages of ownership which may change over time or flip between investors. Because of this changing ownership, owners typically will allocate the equity of the controlling and noncontrolling interests based on the hypothetical liquidation of the project at book value (referred to as “HLBV”) at each year-end. HLBV is not a method prescribed by US GAAP and is only used if it is determined to be appropriate and consistent with the economic substance of the allocation.
  • Power purchase agreements (PPAs)
    PPAs may need to be evaluated if they contain a lease. Accounting Standards Codification (ASC) 842 Leases provides the criteria for what meets the definition of a lease. Under the Implementation Guidance and Illustrations in ASC 842, an example is provided of a contract between a power company and a solar farm where the power company agrees to purchase all the electricity produced by the solar farm; based on the fact pattern provided, the contract is determined to contain a lease. It is important to understand the circumstances and contractual provisions that lead to the determination a contract is a lease versus what leads to the determination that the contract is not a lease.
  • Asset retirement obligations (AROs) 
    Renewable energy companies that construct and operate an asset (such as a solar farm) on land that is leased from another party may have a legal obligation to restore the land to its original condition at the end of the lease. Here is more information on AROs.
  • Land leases 
    Companies may enter into land leases during the development phase of renewable projects. These agreements should be analyzed closely to determine whether they fall under ASC 842 Leases. There are a number of things to consider when looking at land leases, such as whether the lease gives the company the right to control an identified asset and whether the company has the ability to terminate the lease without incurring a significant penalty.
  • Revenue recognition for renewable energy credits (RECs)
    Revenue recognition related to the sales of self-generated renewable energy credits (RECs) can also present some accounting challenges when determining when revenue can be recognized in accordance with US GAAP. RECs generated by project assets sometimes need to go through a certification process that delays the actual sale of the REC; depending on the circumstances, including whether or not the project company has a contract to sell the RECs generated, revenue for RECs may be recognized over time (as power is generated) or at a point in time (when the RECs are actually transferred to a customer).

While this list isn’t exhaustive, it can help you find areas to focus on when preparing your financials. If you have questions about financial reporting for your company or need support for your accounting, financial reporting, or tax needs, please contact our renewable energy team. We’re here to help.

Sustainable books: Financial reporting considerations for renewable energy companies

As just about any school that files a Form 990 will tell you, the Schedule B is one of the more cumbersome areas of the entire return. Schedule B requires the disclosure of every single donor (be it an individual, an entity, or a governmental unit) who contributed $5,000 or more during the organization’s tax year, including their name, address, and the amount contributed, including even more detail and description if the donation is of something other than cash. For larger educational institutions that can receive hundreds of such disclosable donations in a given year, the Schedule B reporting onus can become downright brutal. However, there is a special rule available for Schedule B reporting that could greatly reduce that requirement. Fundraising and development departments rejoice!

Unlocking the special rule for Schedule B reporting increases the threshold for reporting contributions on Schedule B from every donor of $5,000 or more to only those contributors whose contributions exceed 2% of total contribution revenue reported on Page 1 of the Form 990. In order to use the special rule, schools must be able to pass the Form 990, Schedule A, Part II Public Support test.

Schedule A, Public Charity Status and Public Support, is required to be filed by all §501(c)(3) organizations. Part I denotes the organization’s Reason for Public Charity Status. Typically, educational institutions check off box 2, which notates the entity as a school described in section 170(b)(1)(A)(ii), and simply move on without needing to complete any other portions of the Schedule. However, schools can opt to complete Schedule A, Part II in order to demonstrate that they are publicly supported, which then qualifies them to use the special rule on Schedule B. Schools do still need to check off box 2 on page 1 of Schedule A and complete Schedule E (a schedule specific to schools) as required.

Passing the Part II test on Schedule A is accomplished by demonstrating that the organization receives more than 33 1/3% of its support from contributions, grants, or membership fees. As part of the test, excess contributors are required to be tracked. An excess contributor is a contributor, other than a governmental unit or publicly supported organization, who has cumulatively over the last five years made donations greater than 2% of total cumulative support received by the organization for the same period. Beginning with the current year, the required schedule must include the name of each donor and the respective amounts contributed for the current and prior four years. This schedule should be prepared and maintained on the same basis of accounting method used by the organization for financial statement purposes. This schedule is not included as part of the Form 990 filing—it is maintained internally by the organization and is not open to public inspection.

Any excess contributions reduce total Public Support as calculated on the Part II test. Public Support is then compared to Total Support, which includes income items such as investment income and unrelated business income, among others. As long as the resulting public support percentage is greater than 33 1/3%, the organization passes the test and unlocks the Schedule B special rule.

In a very basic example, if a school has a total contribution income of $5,000,000 during the year and is able to pass the Schedule A, Part II test as prescribed above, their Schedule B donor threshold rises from every donor of $5,000 or more to just those donors whose total contributions totaled $100,000 (2% of $5,000,000) during the year. As you can see, this greatly reduces and limits the Schedule B reporting burden to potentially just a few sizeable donors.

If your organization would like to evaluate using the Schedule A Part II test to follow the special reporting rule for Schedule B, please reach out to our nonprofit tax services team. We are here and ready to help!

Easy A for schools: Pass the test to reduce requirements under Schedule B

The Federal Deposit Insurance Corporation (FDIC) recently issued its first quarter 2024 Quarterly Banking Profile. The report provides financial information based on call reports filed by 4,568 FDIC-insured commercial banks and savings institutions. The report also contains a section specific to community bank performance. In the first quarter of 2024, this section included the financial information of 4,128 FDIC-insured community banks. BerryDunn’s key takeaways from the report are as follows:

The first quarter of 2024 resulted in community banks’ quarterly net income increasing $363.2 million from the previous quarter. 

Quarterly net income for community banks increased 6.1% in first quarter 2024, resulting in $6.3 billion of quarterly net income. Despite the increase in quarterly net income, full year net income declined. Compared to first quarter 2023, net income had decreased $1 billion or 13.9%. Half (49.9%) of all community banks reported a decline in net income compared to fourth quarter 2023. Net income for community banks was impacted by higher noninterest expense and lower net interest income.

Despite remaining consistent in the prior quarter-over-quarter comparison, NIM (net interest margin) resumes the declining trend into 2024.

Community banks’ NIM dropped in the first quarter to 3.23%. NIM was down 26 basis points from the year-ago quarter. The yield on earning assets increased 66 basis points, and the cost of funds increased 92 basis points. Despite the significant decline, the community banks’ NIM performance continued to prevail the overall banking industry’s NIM of 3.17%, which declined 10 basis points in first quarter 2024. The banking industry’s NIM dropped seven basis points below the pre-pandemic average NIM of 3.25% for the first time since third quarter 2022.

Loan and lease balances continued to grow in first quarter 2024, with 62.9% of community banks reporting quarterly loan growth. 

Loan and lease balances continued to see widespread growth in first quarter 2024. Community banks saw loan growth in all major portfolios except construction and development loans and agricultural production loans. Nonfarm, nonresidential commercial real estate (CRE) loans exhibited the most growth from fourth quarter at 1.4%, followed closely by residential real estate and C&I loans, both at 0.9%. Total loans and leases grew 7.1% from one year ago. This year-over-year growth was also driven by farm, residential real estate and nonfarm, nonresidential CRE loans, which showed growth year-over-year of 8.8%, 8.5%, and 6.7%, respectively.

More than half of all community banks (61.9%) reported an increase in deposit balances from the previous quarter. 

First quarter 2024 showed growth in interest-bearing deposits of $35.6 billion but a decline in noninterest-bearing deposits of $12.9 billion from the previous quarter. Total assets at community banks increased 0.8% quarter-over-quarter and 4.0% year-over-year. Community banks’ total deposits as a percentage of total assets have been declining since reaching 86.71% in first quarter 2022; however, community banks have yet to return to the low of 81.75% shown in first quarter 2020. The average total deposits as a percentage of total assets has shown year-over-year increases of 0.41%, 2.57%, and 0.95% from 2019 through 2022, respectively; however, the community banks have shown a year-over-year decrease in average total deposits as a percentage of total assets of 2.44% and 0.15% into 2023 and the first quarter of 2024, respectively.

BerryDunn and Stifel recently held the 11th annual New England Banking Summit on May 30th in Portsmouth, New Hampshire. The firms were joined by over 30 different organizations and touched on current economic trends, accounting standards and tax updates, strategies for maximizing benefits and minimizing risks within financial institutions, navigating change, and ways to optimize Current Expected Credit Losses (CECL) processes. Chief Economist Lindsey Piegza, Ph.D. from Stifel, spoke, amongst other things, about the May Federal Open Market Committee (FOMC) meeting. She noted she believes the FOMC will remain on the sidelines for longer than previously expected. The FOMC stated that “readings on inflation have come in above expectations.” This could continue to put downward pressure on NIMs more so than already seen in the above graph.

The inactivity by the FOMC has also wreaked havoc on some bank’s budgets, especially those that optimistically budgeted some rate cuts in 2024. But this projected inaction should not be reason to declare defeat. Bankers are great at pivoting, which was proven continuously during the pandemic. This is another opportunity for banks to pivot and change strategic direction. For instance, this may be a time to focus on other, non-interest revenue sources, or possibly revisit recurring operating costs for opportunities to streamline.

As always, BerryDunn’s Financial Services team will be right alongside you, navigating every rise, bump, and drop of this rollercoaster ride together.

FDIC Issues its First Quarter 2024 Quarterly Banking Profile

Read this if you are preparing for a retirement plan audit.

Few things can feel as daunting as preparing for an audit, especially if it’s your first time being audited. With all the information circulating about new laws and regulations dictating who is required to undergo an audit, compliance issues can become even more complicated. Here are some considerations to help you as you prepare for a retirement plan audit.

While it might seem obvious, it’s worth noting that the purpose of an employee benefit plan is to generate and protect retirement income on behalf of your employees. Plan transactions should be processed in accordance with plan provisions so that employees receive the maximum retirement benefits they have earned. This is why laws and regulations exist and, in some cases, audits are required. 

Fiduciary responsibility

Those who hold authority over employee benefit plan operations and assets—such as plan administrators—have a fiduciary responsibility to oversee and protect the plan, acting in the best interests of the plan’s participants and their beneficiaries. Fiduciaries can be held personally liable if this responsibility is not upheld. Yet this is only one of the many complexities that comes along with maintaining an employee benefit plan. Additional complexities to consider include diversifying plan investments and selecting and monitoring service providers.

Even if your employee benefit plan does not meet the participant threshold that requires an annual audit, your plan is still subject to the same laws and regulations as plans requiring an audit. One of the most important things you can do as a fiduciary, or as someone involved in the operations of an employee benefit plan, is to stay current on changing laws and regulations. 

It is also important to understand your plan’s adoption agreement, including its nuances, which vary from plan to plan. These nuances can include, but are not limited to, navigating the intricacies of vesting provisions, participant loans, distribution types, and defining what constitutes plan-eligible compensation.

Independent auditors

Plan sponsors can also benefit from working with an independent auditor, even when it is not legally required. Many service providers offer consulting services, typically referred to as audit-readiness assessment services, at a lower cost than an audit and with similar benefits, including an understanding of any gaps in internal controls, a deeper understanding of accounting standards and compliance requirements, and an opportunity to improve documentation and processes to maintain operational compliance with plan documents and regulatory guidance. These services are vast and customizable and can help you maintain compliance with ERISA and IRS regulations, work efficiently with third-party administrators, and test operational workflows to identify processes that should be occurring throughout the plan year. 

As retirement plan auditors, a common challenge we see when conducting first-time plan audits is the amount of time it takes the employer to remit employee contributions to the plan and how quickly those funds are invested in the employee’s retirement account. Optimally, this transaction should align with the same date the employee funds are withheld during the payroll process. This is an area that would be examined by an auditor in an audit-readiness assessment and is one example of the many ways this type of service can support improvements to your plan operations and compliance.

Other things to be aware of include the timeline for processing electronic deferral election changes in the plan sponsor payroll software, calculation of participant vesting and identification of forfeited amounts, and making sure all calculations for contributions are based on the correct definition of plan compensation per your plan documents.

Audit-readiness assessments

Is your plan a candidate for an audit-readiness assessment? While not suitable for everyone, investing in an audit-readiness assessment service is certainly worth considering. This is especially true if your plan is growing, you are seeking to become better prepared should that audit come, or you are simply feeling overwhelmed. Whatever the case, if you would like to discuss your options, the BerryDunn Employee Benefit Plan Audit team is here to help. 

Considerations for preparing for your first retirement plan audit

Read this if you sponsor an employee benefit plan. 

Sponsors of defined benefit and defined contribution retirement plans should keep the following deadlines and other important dates in mind as they work toward ensuring compliance for their plans in 2024. Dates assume a calendar year plan. Some deadlines may not apply, or dates may shift based on the plan sponsor’s fiscal year. 


  • 15 / Fund: Possible fourth quarter 2023 contribution due for defined benefit pension plans.
  • 31 / Action: File IRS Form 945, Annual Return of Withheld Federal Income Tax, by January 31 for non-payroll income taxes, such as taxes withheld by retirement plans, during 2023.
  • 31 / Action: Distribute IRS Form 1099-R to participants by January 31 for 2023 retirement plan distributions.

Best Practice: Plan sponsor should confirm the accuracy of the prior year’s census data to the recordkeeper. This information is used for ADP/ACP testing, among other things.


  • 28 / Action: File IRS Form 1096, Annual Summary and Transmittal of US Information Returns, with IRS if using paper transmittal by February 28 for 2023 tax year.
  • 28 / Action: File IRS Form 1099-R in paper format with the IRS by February 28 for 2023 retirement plan distributions.

Best Practice: Review and approve compliance testing results sent by plan administrator.


  • 15 / Action: Highly compensated employees who fail the ADP/ACP test for the prior plan year must have refunds processed by March 15 (other than eligible automatic contribution arrangements).
  • 15 / Fund: Partnerships and S Corporations that are not getting an extension must fund employer contributions to receive tax deductions for the prior year.


  • 1 / Action: 401(k) plans with publicly traded employer stock that follow Article 6A of the Regulation S-X (SEC format) must file Form 11-K with the Securities and Exchange Commission by April 1.

Note: The IRS “weekend rule” does not roll the April 1 deadline to the next business day if April 1 falls on the weekend or holiday.

  • 1 / Action: Recordkeeper (or other responsible party) completes and files Form 1099-R electronically with the IRS by April 1 for 2023 retirement plan distributions.
  • 1 / Action: April 1 deadline for 5% of business owners and terminated participants who turned 73 in 2023 to receive their required minimum distribution (RMD).
  • 15 / Fund: April 15 possible first quarter 2024 contribution due for defined benefit pension plans (i.e., contribute by April 15 before the weekend, as contribution deadlines are not extended to the next business day).
  • 15 / Distribute: Participants who contributed over 402(g) or 415 limits in the previous year must be refunded the excess amount by April 15.
  • 15 / Action: File PBGC Form 4010, Notice of Underfunding for single-employer defined benefit plans with more than $15 million aggregate underfunding by Monday, April 15.
  • 15 / Fund: C-Corporations and Sole Proprietors that are not getting an extension must fund employer contributions by April 15 to receive tax deductions for the prior year.
  • 15 / Fund: IRA contributions for the prior tax year must be funded by April 15.
  • 29 / Action: Send annual funding notice to participants of single and multi-employer defined benefit plans over 100 participants by April 29.


  • 28 / Action: 401(k) plans with publicly traded employer stock must file SEC Form 11-K with the Securities and Exchange Commission by June 28 or file an extension on SEC Form 12b-25.
  • 30 / Action: Highly compensated employees who fail ADP/ACP test for prior plan year must have refunds processed by June 30, if an eligible automatic contribution arrangement (EACA).


  • 15 / Action: 401(k) plans with publicly traded employer stock that requested a 15-calendar day extension (SEC Form 12b-25) for the SEC Form 11-K must file the SEC Form 11-K with the Securities and Exchange Commission by July 15.
  • 15 / Fund: Possible second quarter 2024 contribution due for defined benefit pension plans by July 15.
  • 31 / Action: File IRS Form 5500, Annual Return/Report of Employee Benefit Plan, and IRS Form 8955-SSA, Annual Registration Statement Identifying Separated Participants with Deferred Vested Benefits, for the 2023 plan year by July 31.
  • 31 / Action: To request an extension of time to file IRS Form 5500, file IRS Form 5558 by July 31.


  • 15 / Fund: If an extension was filed, September 15 is the deadline to fund employer contributions for Partnerships and S Corporations.
  • 15 / Fund: September 15 is the last date to make 2023 contributions for single and multiemployer defined benefit pension plans.
  • 30 / Action: By September 30, distribute the  Summary Annual Report (SAR) to participants if the Form 5500 was filed on July 31.


  • 3 / Action: Distribute annual notices to participants no earlier than October 3 and no later than December 2, including notices for 401(k) Plan Safe Harbor Match, Automatic Contribution Arrangement Safe Harbor, Automatic Enrollment, and Qualified Default Investment Alternatives (QDIA).
  • 15 / Fund: On October 15, any possible third quarter 2024 contribution due for defined benefit pension plans.
  • 15 / Action: October 15 is the extended deadline for filing IRS Form 5500 and IRS Form 8955-SSA.
  • 15 / Action: October 15 is the extended deadline for filing individual and C Corp tax returns.
  • 15 / Action: If an extension was filed, October 15 is the deadline to fund defined contribution employer contributions for C Corporations and Sole Proprietors.
  • 15 / Action: October 15 to open a Simplified Employee Pension (SEP) plan for extended tax filers.
  • 15 / Action: Send annual funding notice to participants of single- and multi-employer defined benefit plans with 100 or fewer participants by October 15.
  • 15 / Action: October 15 defined benefit plan PBGC Premium filings and payments due.
  • 31 / Action: Single-employer defined benefit plans that are less than 60% funded or are 80% funded and have benefit restrictions triggered must inform participants by October 31 or 30 days after the benefit restriction applies.

Best practice: Make sure administrative procedures align with language in plan document.


  • 2 / Action: Distribute annual participant notices no later than December 2. These include notices for: 401(k) Plan Safe Harbor Match, Automatic Contribution Arrangement Safe Harbor, Automatic Enrollment and Qualified Default Investment Alternatives (QDIA).
  • 15 / Action: December 15 is the extended deadline to distribute the Summary Annual Report (SAR) when the Form 5500 was filed on October 15.
  • 31 / Action: December 31 is the final deadline to process corrective distributions for failed ADP/ACP testing; a 10% excise tax may apply.
  • 31 / Action: Ongoing required minimum distributions (RMDs) for 5% business owners and terminated participants must be completed by December 31.
  • 31 / Action: Amendments to change traditional 401(k) to safe harbor design, remove safe harbor feature or change certain discretionary modifications must be completed by December 31. Amendments to change to safe harbor non-elective design must be completed by December 1 of the given plan year for 3% or by December 31 of the following year for 4% contribution level.
  • 31 / Action: Plan sponsors must amend plan documents by December 31 for any discretionary changes made during the year.

In addition to those important deadlines and dates, plan sponsors should be aware of the contribution plan limits and other rolling notices for 2024:

  • Traditional and Roth Individual Retirement Account contribution limit is $7,000. Catch-up contributions for participants aged 50 and over is $1,000, which is fixed by law and not adjusted each year.
  • The employee salary deferral limit for 401(k), 403(b) and 457 plans is $23,000. The catch-up contribution limit for participants who are age 50 or older in 2024 is $7,500.
  • Maximum annual additions (i.e., employee deferrals, employer contributions, and forfeitures) that can be allocated to a participant’s defined contribution plan account for 2024 is $69,000.
  • Limitation for the annual benefit under a defined benefit plan under Section 415(b)(1)(A) is $275,000.
  • The dollar amount used to define “highly compensated employee” under Section 414(q)(1)(B) is $155,000.


  • Contact your service provider to discuss any required and/or discretionary SECURE 2.0 provisions effective in 2024 to ensure compliance.
  • Make sure discretionary amendments that impact plan design and administration are executed and implemented timely per IRS regulations.
  • Make sure administrative procedures align with language in plan document.
  • Plans may consider doing mid-year compliance testing to avoid failing applicable annual tests.
  • Review and approve compliance testing results sent by plan administrator.
  • Plan sponsor should confirm the accuracy of the prior year’s census data to the recordkeeper. This information is used for ADP/ACP testing, among other things.

If you want to discuss these considerations or have questions about your specific situation, please contact our Employee Benefits team. We're here to help. 

2024 Deadlines and important dates for plan sponsors

Read this if you sponsor an employee benefit plan. 

In December 2022, Congress passed the Securing a Strong Retirement Act of 2022, commonly referred to as the SECURE 2.0 Act. The SECURE 2.0 Act includes a multitude of provisions, many of which affect employer-sponsored retirement plans and individual retirement accounts. In this article, we want to specifically focus on changes to catch-up contributions for employer-sponsored retirement plans. 

Catch-up contribution parameters

Currently, salary deferral catch-up contributions are available to participants who are age 50 or older (regardless of when they turn 50 during the calendar year). For 2023, the catch-up contribution limit is $7,500; however, this amount changes annually as it is indexed to inflation. This has historically been a non-issue for plans, payroll providers, and recordkeepers, as payroll provider and recordkeeper portals have been set up to allow contributions over the normal salary deferral limit (currently $22,500) for those participants who are over age 50. These catch-up contributions have traditionally been coded the same as a participant’s regular deferrals—either traditional or Roth.

Effective dates: Roth catch-up contributions requirement

Effective January 1, 2024, catch-up contributions will be required to be made on a Roth basis for participants with wages greater than $145,000 (indexed annually for inflation) in the prior year. However, on Friday, August 25, 2023, the IRS issued Notice 2023-62, which provides a two-year administrative transition period to implement the new catch-up contribution provisions.

Specifically, until taxable years beginning after December 31, 2025, catch-up contributions to participants with wages greater than $145,000 in the prior year will not need to be designated as Roth contributions.

Note that the $145,000 limit is determined by looking at wages for social security tax purposes. That may or may not be the same definition that is used by a plan for other purposes (e.g., salary deferral and employer contributions). This may create an administrative burden for payroll providers and recordkeepers as these vendors will need to be able to differentiate between employees under and over this compensation threshold. Furthermore, for those above the threshold, software and systems will need to be set up to help ensure any catch-up contributions are properly coded as Roth contributions, for payroll and retirement plan reporting. Employees with wages of $145,000 or less may still elect to have Roth catch-up contributions, if allowed by the plan documents.


We recommend reaching out to payroll providers and recordkeepers today to see how they plan to approach compliance with the new provision. These conversations should not be independent of one another—it will take a concerted effort amongst plan management, payroll providers, and recordkeepers to help ensure compliance.

NOTE: There is one other change on the horizon for catch-up contributions. Beginning in 2025, the SECURE 2.0 Act creates an additional “special” catch-up limit for employees who are ages 60 to 63. This special catch-up limit will be the greater of $10,000 or 150% of the regular catch-up amount in effect for the year. This amount will also be indexed for inflation annually.

Additional changes effective in 2024

  • Elimination of Required Minimum Distributions (RMDs) for Roth 401(k) and 403(b) plans
  • RMDs for surviving spouses
  • Student loan repayments matching contributions
  • Emergency savings accounts
  • Optional Rothification of catch-up contributions for high earners (as discussed above, this will be mandatory in 2026)
  • Higher forced rollover limit
  • Retroactively amending plan to increase benefits for prior plan year
  • Waiver of early withdrawal penalties for certain distributions
  • Permanent safe harbor for correcting auto-enrollment and auto-escalation failures
  • Uniform rollover forms
  • 403(b) hardship distributions conform to 401(k) rules
  • Starter 401(k) or 403(b) plans
  • Separate top-heavy tests allowed 
  • SIMPLE plan updates
  • Reform of family attribution rules
  • Improved defined benefit plan annual funding notices
  • Indexing individual retirement account (IRA) catch-up limit
  • Section 529 rollovers
  • Retirement savings lost and found

For more information on these changes and others going into effect in 2025, read the previous article on the SECURE 2.0 Act.

If you have questions about the SECURE 2.0 Act, catch-up contributions, or your specific situation, please contact our Employee Benefits team. We're here to help. 

Catch-up contributions: Impacts of the SECURE 2.0 Act

Read this if you are thinking of implementing a new software solution or want to learn more about System and Organization Controls (SOC) reports.

Vendor due diligence is a crucial step when considering new software to use at your organization. Maybe this is a familiar topic or maybe you are just learning how to better assess vendors before you sign a contract. Either way, a software demo should be an important part of your decision-making process—but it cannot be the only criteria you use before buying new software. 

SOC 1 and SOC 2 reports: Background

Developed by the American Institute of Certified Public Accountants (AICPA), SOC 1 and SOC 2 reports provide software providers with the opportunity to demonstrate the existence of strong internal controls in place (see more below on why this is important). A SOC 1 report covers Internal Control over Financial Reporting (ICFR) and is an important tool for vendors that process data or provide services critical to their customers' financial reporting. SOC 2 reports are intended to provide detailed information and assurance about the vendor’s controls relevant to the AICPA’s Trust Services Criteria (TSC) for five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Each SOC 2 report must include the Security category and the others are optional based on the services provided. 

The Security category requires that vendors demonstrate their controls related to risk assessment, mitigation, and monitoring practices; user access to systems and physical access to equipment; monitoring security vulnerabilities; software development; change management practices for network devices; incident response procedures; and management’s control environment for oversight, ethics, accountability, and communication.

SOC 1 and SOC 2 reports: Benefits

Both SOC 1 and SOC 2 reports should provide information on the internal controls related to the software development lifecycle. A comprehensive SOC report will include tests on the development and approval processes for software code changes. This is important when assessing whether a software vendor has a mature process for changes that affect its customers. If reviews and approvals are not tested in the report, this can indicate that that the organization doesn’t currently have a structured and consistent process in place. In this scenario, there is a risk that software developers have the freedom to write code and make changes to the software that impact customer data without a proper review of the effects of those changes. This could create an unintended change in the software that leads to unreliable data for your organization. 

Each SOC report is the result of an independent audit by a CPA firm that thoroughly tests the internal controls in place at the software or service company. Reviewing the results of this audit can help you understand the vendor’s controls and demonstrate whether the software functions as intended, includes controls to prevent unauthorized code changes, and has security controls to protect your data. 

SOC 1 and SOC 2: Resources 

SOC reports and your review of them can strengthen your vendor due diligence process and help your organization determine the best software vendor for your needs. Our team has developed checklists to help you identify the key areas of attention as you review SOC reports, and you can download them here. These checklists are also helpful for software vendors you are already using to help understand the controls in place and whether you should ask questions about controls you do not see in the report. Please watch our video on how to effectively use our checklists.

Our SOC experts are here to help. Please contact us to learn more about SOC reports or if you have specific questions about protecting your organization from ineffective software development practices.

SOC 1 and SOC 2 reports: What to know before you buy new software

Read this if you are an IT director, information security officer, compliance officer, risk manager, or an organizational leader interested in enhancing resilience and robust continuity strategies.

In today’s business environment, the ability to navigate and recover from unexpected disruptions is crucial. Whether facing cyberattacks, health crises, or even natural disasters, the faster your organization can resume operations, the better. To enhance organizational resilience, it is important to distinguish between business continuity (BC), disaster recovery (DR), and incident response (IR). This short article outlines the distinct roles of BC, DR, and IR, emphasizing their contributions to resilience and offering insights for developing strategies to address disruptions effectively.

What is business continuity?

Business continuity is focused on sustaining an organization's mission and essential business processes during and after a disruption. For many organizations, this includes critical functions, such as payroll or customer service.

A business continuity plan (BCP) can be customized for a single unit or the entire organization, emphasizing specific functions. The BCP's objective is to help ensure the uninterrupted operation or timely restoration of critical business processes, regardless of the disruption's nature, whether it be IT-related or if it affects other aspects of the business.

BCP components include:

  • Identifying potential risks and threats and assessing their impact on critical processes, as well as prioritizing functions based on criticality
  • Developing strategies to mitigate disruption impacts on critical functions and exploring alternative approaches to conducting business
  • Outlining procedures for immediate threats or emergencies, providing contact details for key personnel and emergency services, and specifying evacuation plans and safety protocols
  • Establishing guidelines for internal and external communication during disruptions and protocols for keeping employees, customers, and stakeholders informed
  • Describing the recovery and restoration of IT systems and data (refer to the disaster recovery section below), including backup and recovery procedures, and defining the roles of IT personnel during disruptions

What is disaster recovery?

Disaster recovery addresses significant disruptions that deny access to the primary IT infrastructure for an extended period. Examples of disasters include natural disasters, terrorist attacks, cybersecurity incidents, power outages, network failures, pandemics, etc.

A disaster recovery plan (DRP) is a targeted strategy to restore operability to the IT infrastructure following a disaster. It complements a BCP by recovering supporting systems for essential business processes. The DRP’s objective is to minimize downtime and data loss by restoring IT systems, applications, and data in a timely manner to resume normal operations.

DRP components include:

  • Identifying risks and threats to IT systems and data and assessing their impact on critical functions.
  • Establishing recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems and prioritizing each based on criticality.
  • Implementing procedures for regular data backups, selecting appropriate methods, and working to ensure off-site storage for data redundancy
  • Providing detailed recovery instructions for IT systems and applications, with designated personnel responsible for execution
  • Conducting regular testing through simulation exercises, evaluating DRP effectiveness, and adjusting as necessary

What is incident response?

Incident response manages and mitigates the impact of security incidents, such as ransomware attacks or data breaches. Its goal is to detect, respond to, and recover from incidents promptly to minimize damage and protect sensitive information. 

An incident response plan (IRP) outlines procedures for addressing cybersecurity attacks, helping to identify, mitigate, and recover from incidents like unauthorized access or denial of service. The IRP is often included as an appendix to the BCP and DRP.

IRP components include:

  • Identifying covered incident types
  • Establishing an incident response team with roles, responsibilities, and key personnel contacts
  • Setting criteria for classifying incidents by severity and impact, defining severity levels and corresponding response actions
  • Outlining immediate steps upon incident detection, activating the response team, and initiating preliminary assessments
  • Establishing procedures for post-incident reviews, documenting lessons learned, and recommending improvements to the IRP


BC, DR, and IR are each crucial for organizational resilience against unexpected disruptions. BC works to ensure sustained critical business functions, DR restores IT systems post-disaster, and IR manages security incidents. The synergy of these three components forms a comprehensive strategy, empowering organizations to navigate disruptions effectively.

For more information on organizational resilience or if you have questions about your specific situation, please don’t hesitate to contact our cybersecurity consulting team. We’re here to help.

Crafting a resilient strategy with business continuity, disaster recovery, and incident response