Skip to Main Content


Gain perspectivesThought leadership


Read this if you are a board member, C-suite, or accounting professional at a financial institution.

Congratulations! For most financial institutions across the US, 2023 marked the first full year of CECL (Current Expected Credit Losses, or Accounting Standards Codification (ASC) 326 – Credit Losses ) adoption. The sweeping changes brought about by CECL may have felt like dealing with the accounting version of a 100-year flood. As accounting and finance professionals are wrapping up year-end audits, disclosures, and annual reports, perhaps many are breathing a well-earned sigh of relief. Celebrations certainly are in order for accomplishing the most significant change in bank accounting ever during one of the most uncertain few years in recent history. 

As with any major change event, CECL is not a one-and-done situation. There is an aftermath that needs addressing—a look-back assessment, clean-up, renovation—and consideration for what it means to move forward confidently in this “new normal.” Here are some things to consider as you enter this next phase.

The key questions test

After you have been zooming in on the details of CECL for the past several years, now is the right time for you to pan out and consider the broader view. After all the time and energy spent working on CECL, now is a good time for you and your team to look at how well you can confidently, succinctly, and consistently answer these key questions:

  1. How does your model work?
  2. How do you assess adequacy and assure consistency?
  3. Where are the risks?
  4. What controls are in place?
  5. Where are the opportunities for improvement?
  6. How are model changes handled? 

More importantly, if none of you were there to answer those questions, is there sufficient documentation available that someone else could? Now that CECL is your new ongoing reality, it is critical that you can demonstrate understanding, both conversationally and also in formal documentation. When it comes to model documentation and direct or related policies, procedures, and controls, the ultimate litmus test is that an independent third party could both understand and replicate what you’re doing. This should be true no matter if the independent third party is internal or external to your organization. 

Tip: Record your answers to the key questions above. Then hand someone in your organization who is not directly involved with the ACL process your model documentation to review and then ask them to explain back to you how your model works. How different are their answers and understanding from yours? This also works well to test specific procedures or processes.

Common themes or issues

One of the benefits of partnering with financial institutions across the US is the ability to pick up on common themes, trends, and issues—areas of opportunity to enhance and refine approaches to CECL. From this work, we offer the following observations and tips:

Change management  

In our experience, few institutions have a formal process in place for how CECL model changes are to be handled from here, yet this is a crucial component of model risk management. A good change management process includes how changes—either by the vendor or the institution—are to be assessed, how much analysis is expected, what level of review and approval (including by the board) is required, and how quickly the changes are to take effect. There should also be confirmation that the changes were implemented. For a risk-based approach to model change management, consider which types of changes create the most risk to your institution’s model or create the most volatility in reserve estimation outcomes, and match that risk to the level of assessment and approval authority required. 

Tip: An approval form cover sheet summarizing the changes and impacts along with maintaining a change log will help you evidence, track, and monitor these changes over time. 

Qualitative (Q Factor) support

We’ve seen a wide variety of methods and methodology construction under CECL, but one thing they have in common is a lack of real support for qualitative adjustments. Even with software integration and modeling techniques, it remains up to management to document their rationale for when, why, and to what extent qualitative adjustments are needed. It is a baseline expectation that management can describe what risk of loss is already accounted for in the quantitative model, what internal and external conditions and factors they are uniquely monitoring for each qualitative adjustment category they feel is needed, and how they determine to what extent adjustments should be made. If this adjustment is based on designating when risk is moving from low to medium to high, management should be able to indicate what triggers a move among these risk levels. One quick example for illustrative purposes: what range of delinquency rates for your institution is typical of a “neutral” risk level, or of a low- vs. moderate- vs. high-risk level? 

Tip: A simple spreadsheet documenting these critical aspects of management’s qualitative framework can go a long way to make sure this process is transparent and provides insight into any risk of reserve layering. 

Vendor risk

Assessing and managing vendor risk is a big topic. For some of the same reasons we saw an increased use of vendor solutions to comply with CECL, we’ve also seen what could be characterized as an over-reliance on vendors. One area we’ve found that needs some additional attention is the financial institution’s review and assessment of both their CECL model vendor’s SOC-1 Type-2 report and of any model validation the vendor may have contracted for separately. It isn’t always easy reading through and understanding these documents; however, it is vital to your assessment of the risk and controls the vendor has in place over these models and systems they have developed that you are relying on for the largest estimate in your financial statements.

Knowing what you’re looking for is key. For example, user entity controls are identified in the SOC report and often, for CECL, mean that controls need to be in place in multiple areas of the institution. If your vendor has had their model(s) independently validated, we encourage a close read of this work, as it should alert you to any limitations of that validation, such as feeder models that were not validated. 

Tip: Become familiar with the new supervisory interagency guidance on Third-Party Risk Management (June 2023) and the vendor life cycle. Doing so should help you assess gaps in your current approach to CECL vendor risk management. 

CECL resources

No matter your CECL challenge or pain point, our team of experts is here to help you navigate the requirements as efficiently and effectively as possible. We’d love to hear from you, or please feel free to explore our CECL resources to help you along the way.

CECL: Trends and post-adoption opportunities

Read this if you are responsible for cybersecurity or are a member of a board of directors for a company or a nonprofit organization.

I recently joined the board of directors of a local nonprofit organization that addresses homelessness and food insecurity in our community. While it is a larger, well-established organization, it still needed cybersecurity support. For me, it is a meaningful way to give back using my expertise while improving the risk posture and security practices of the organization. In my opinion, the most critical area any board of directors should be addressing, along with establishing and mitigating risk, is incident preparedness. The board should require and receive reports on incident management programs, and if they are in place, they should be tested on a frequent basis. 

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies and nonprofit organizations in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

For nonprofit boards, having an expert with cybersecurity skills as a board member may bring in needed guidance and expertise to an organization that may have limited resources, but is impacted by cybersecurity risks. It can be a valuable way to bring in advisory and oversight where it may be needed.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cybersecurity risks for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.


  • What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
  • Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
  • Has the cyber risk management plan been tested?
  • Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
  • Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
  • What percentage of our IT budget is dedicated to cybersecurity?
  • Does that allocation conform to industry standards?
  • Is it adequate based on our threat profile?
  • What are the stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
  • What is the interaction model between senior management and the board for communications regarding cybersecurity?
  • Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

  • How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
  • Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
  • Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

  • Does the board play an active part in determining an organization’s cybersecurity strategy?
  • What are the key elements of a good cybersecurity strategy?
  • Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
  • How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
  • How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

  • What are the potential cyber threats to the organization?
  • Who is responsible for management oversight of cyber risk?
  • Has a formal cyber assessment been performed? Does it need to be updated?
  • Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
  • What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
  • Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

  • Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology, and are those individuals empowered to carry out those responsibilities?
  • Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
  • Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others make it a direct or “dotted line” reporting to the CEO.)
  • Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

  • Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
  • What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
  • How effective are the organization’s risk management activities and controls identified in the assessment?
  • Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
  • Are there controls in place to ensure adequate, accurate, and timely reporting of cybersecurity-related content?
  • How does the company remain apprised of laws and regulations and ensure compliance?
  • What cloud services does our organization use and how risky are they?
  • How are we protecting sensitive data? Do we know what types of data the organization maintains? 

Threat intelligence and collaboration

  • What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
  • Does our organization share threat intelligence with law enforcement?
  • What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
  • What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

  • Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
  • How regularly should a board obtain IT metric information?
  • Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
  • How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

  • How does management validate the type and volume of cyber-attacks?
  • Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
  • How does an incident response and recovery plan fit into the overall cybersecurity strategy?
  • Is the board’s response role clearly defined?
  • Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
  • Is there a culture of cyber awareness and reporting at all levels of the company?
  • Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

  • How does the board remain current on cybersecurity developments in the market and the regulatory environment?
  • Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
  • Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
  • Are directors provided with educational opportunities in this area?
  • Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

  • Has oversight of cybersecurity reporting been defined for management and the board?
  • Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise, and its oversight of cybersecurity risk being included within the financial statement and proxy disclosures?
  • Does the company have a mechanism for timely reporting of material cybersecurity incidents?
  • Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

Board oversight of cybersecurity: Questions to ask

Read this if you are a board member or responsible for providing CECL information to your board.

We’ve heard so much about Current Expected Credit Losses (CECL) in the past few years leading up to its adoption by all remaining financial institutions in recent calendar year-end financial statements. The focus has been, rightfully so, on its actual adoption—making sure policies and procedures are adjusted to appropriately account for the new standard and that financial statement disclosures comply with the new requirements. With year-end 2023 largely concluded, and people having had the chance to catch their breath, the focus understandably shifts to how best to optimize CECL for the long haul. Although we like to think the hard part (i.e., adoption) is behind us, which is certainly a reason to celebrate, there are questions that may need answers. One of those is figuring out how much CECL information should you provide to your board and how often.

We often get inspiration in answering this question from Goldilocks: not wanting to provide too much information but also not providing too little—you want to provide just enough. This means providing enough information so board members can knowledgeably assess the adequacy of the allowance and provide robust challenge while not getting so much information that they could, in theory, reperform the calculation themselves. Some items to consider including in your board communications are:

Key inputs and assumptions

There are likely many inputs and assumptions that go into your CECL calculation, all of which bear some impact on your overall allowance. You likely identified those inputs and assumptions that are most important to your calculation when implementing the standard. Best practice is to have documented these key inputs, assumptions, and management’s rationale for them in a model document, and include a monitoring schedule in your ACL policy for the  frequency in which they will be reviewed and updated— and under whose authority review and approval is required.

Of course, each period, any changes requiring board approval will need to be disclosed to the board. But as part of your ongoing disclosure to the board, consider providing an overall summary of key inputs and assumptions and highlighting any that shifted in the prior period. This may include prepayment speeds, forecasting models, forecast length, reversion length, and probability of default and loss given default, aging buckets. This summary could be in narrative form, but it may be more effective to provide it in a list: showing the inputs and assumptions period-over-period and explaining any significant changes. This will allow your board to quickly assess what has changed and effectively challenge those changes.

Analytics and trends

Analytics can be an effective tool in assessing your allowance calculation. We recommend incorporating analytics into management’s own review of the allowance calculation, as a final check before approving the calculation for the period. Many of these analytics could likely be recycled and provided to boards as part of your reporting. Some analytics to consider using are:

  1. Changes in the allowance period-over-period, possibly broken up by financial asset type
    For instance, for financial institutions, the financial asset type could be its various loan portfolio segments. For commercial entities, it could be the age of the receivables. Set a variance threshold for any changes period-over-period and investigate those changes that meet this threshold. The resulting explanations can then be incorporated into your board reporting.
  2. Charge-off trends
    Examine historical charge-off activity, looking for any significant changes over recent periods. Although recent charge-off activity may not be in direct correlation to your allowance levels, given the CECL requirement related to reasonable and supportable forecasts and the use of forward-looking information, recent trends in charge-off activity could prove to be useful information for boards. If there are significant differences in recent charge-off levels vs. your current allowance, this may beg an explanation as to why. Consider presenting your charge-off activity in the form of an analytic, such as charge-offs as a percentage of credit loss expense.
  3. Delinquency trends
    Consider providing the board information on the payment status of your outstanding receivables, likely the largest financial asset subject to CECL. Past due buckets, for instance, segregating your receivables by days past due can be useful information for the board. Again, providing a period-over-period comparison can make the analysis that much more powerful. The usefulness of this information may vary, as it is possible past due status is an input into your allowance calculation or qualitative adjustment methodology. Thus, the way in which this analytic is discussed with your board will likely vary depending on your allowance calculation.

Peer comparison

One of the more challenging aspects to CECL is finding good comparisons. Because there is so much leeway given to adopters under CECL for how to construct their methodology, we advise that peer comparisons be used with caution. However, peer comparisons should not simply be ignored for this reason. Peer comparisons can provide valuable insights into how like-kind companies are approaching their allowance calculations and reserve-level expectations. The emphasis now is on determining which peers are truly like-kind to you in the context of CECL and covered financial assets. Again, peer results may vary significantly from your own company’s results, but such differences may lead to you and your board to consider if those are really your peers, or to challenge your own model outputs, inputs, and assumptions.

CECL or Allowance for Credit Losses (ACL) policies

Maintaining a CECL or Allowance for Credit Losses (ACL) policy is an important part of overall governance. This policy should not go into as much detail as other model development, design, and calculation procedural documents. But it should address governance roles and responsibilities, authority, and required model risk management activities and standards, in addition to ongoing monitoring and reporting. Review this policy on an annual basis and present it to the board for approval. This policy will also help dictate how much CECL information is provided to the board and will allow you to revisit how much information and what types of information are provided at least annually.

Finding that “just right” mix of information takes time and will vary depending on your company’s specific circumstances. Those companies in which their CECL calculation is a significant estimate will likely require more information than those companies in which CECL is less significant. Frequently ask your board if they feel as if they’re getting the right mix of information. Don’t be afraid to experiment with different reports and different levels of reporting. As always, if you have any questions or want some additional direction, please don’t hesitate to reach out to your BerryDunn team.

Providing CECL information to your board: Best practices

Read this if you are involved in recruiting board members.

Board members serve as the backbone of companies and organizations across industries. They provide direction, oversight, and strategic guidance. Selecting the right people to serve on your board is important for the success of your organization. Here are some things to consider as you look for board members that fit your needs.

  • Identify and understand your needs
    Before initiating the recruitment process, identify the specific skills, experiences, and perspectives your board lacks or skills that could enhance board and organizational effectiveness. This can vary depending on what your board needs, but often includes financial acumen, legal knowledge, extensive management experience, and industry connections.
  • Outline the roles, responsibilities, time commitments, and expectations
    Be transparent about your mission, values, and the challenges you face. This clarity will attract candidates who match your goals and can fully understand what they're signing up for.
  • Reach out to your existing network
    Personal recommendations often yield high-quality candidates who are already familiar with your work and business. You could also consider spreading the word through company communications like newsletters and bulletins, social media, and events.
  • Actively seek out candidates from different age groups, ethnicities, genders, professions, and geographic locations
    Diversity in background, perspective, and experience enriches discussions, fosters innovation, and ultimately better serves your organization. 
  • Screen candidates thoroughly
    Implement a rigorous selection process to assess candidates' qualifications, commitment, and alignment with your values. Conduct interviews to gauge their passion for the business, leadership style, and ability to collaborate effectively. Consider requesting references and conducting background checks if deemed necessary.
  • Provide orientation and training
    Once selected, provide comprehensive orientation and continuous training to new board members. Familiarize them with your history, programs, governance structure, and strategic priorities. Offer opportunities for professional development to enhance their effectiveness in fulfilling their roles.
  • Engage the board
    Cultivate a culture of active participation, open communication, and accountability among board members. Encourage them to contribute their unique perspectives, skills, and networks to advance your goals. Establish expectations, evaluation mechanisms, and term limits to ensure accountability and prevent stagnation.
  • Nurture a supportive and inclusive board culture where members feel valued and empowered
    Celebrate achievements, recognize contributions, and cultivate camaraderie through team-building activities and meaningful interactions.
  • Regularly evaluate the effectiveness of your board composition, dynamics, and processes
    Solicit feedback from board members, staff, and stakeholders to identify areas for improvement and adaptation. Be willing to make necessary adjustments to ensure the board remains agile, responsive, and aligned with your evolving needs and goals.

By following these steps and approaches, your team can assemble a dynamic and dedicated board of directors equipped to navigate challenges, seize opportunities, and drive meaningful impact for your company or organization.

Finding the right fit: Recruiting board members

Read this if you are responsible for your company’s income tax provision and disclosures.

In December 2023, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) No. 2023-09, Income Taxes (Topic 740): Improvements to Income Tax Disclosures. Although this ASU does not impact the accounting for income taxes, it does impact the disclosures of such and is applicable to all entities subject to income taxes. According to the FASB, “the Board is issuing the amendments…to enhance the transparency and decision usefulness of income tax disclosures. Investors, lenders, creditors, and other allocators of capital indicated that the existing income tax disclosures should be enhanced to provide information to better assess how an entity’s operations and related tax risks and tax planning and operational opportunities affect its tax rate and prospects for future cash flows.”

The main components of the FASB’s ASU can be broken down into three areas, as done so in the ASU itself:

  1. Rate Reconciliation
  2. Income Taxes Paid
  3. Other Disclosures

Rate Reconciliation

This amendment is only for public business entities. Public business entities have always been required to provide a rate reconciliation, reconciling income tax expense at the statutory rate to the entity’s effective tax rate. This rate reconciliation could be displayed in amounts or percentages. ASU No. 2023-09 requires this rate reconciliation be displayed in both amounts and percentages and also identifies the following specific categories that must be disclosed:

  1. State and local income tax, net of federal (national) income tax effect
  2. Foreign tax effects
  3. Effect of changes in tax laws or rates enacted in the current period
  4. Effect of cross-border tax laws
  5. Tax credits
  6. Changes in valuation allowances
  7. Nontaxable or nondeductible items
  8. Changes in unrecognized tax benefits

There is also a requirement that any reconciling item greater than 5% of the statutory income tax expense be separately disclosed, even if not one of the specific categories identified in the ASU. Furthermore, this 5% threshold applies to the cross-border tax laws, tax credits, and nontaxable or nondeductible items categories, meaning that if the reconciling item is within these categories and is above the 5% threshold, the item must be disaggregated by its nature. The 5% threshold also applies to the foreign tax effects category in that this category is required to be disaggregated by jurisdiction (country) and by nature if meeting the 5% threshold.

For example, let’s say an entity has research and development tax credits as well as energy-related tax credits, both of which are in excess of the 5% threshold. These tax credits would be required to be separately disclosed. However, let’s say tax credits in total are below the 5% threshold. In this case, tax credits would still need to be separately disclosed, as they are one of the specific categories identified in the ASU but would not need to be further disaggregated.

For the state and local category, a public business entity is required to provide a qualitative description of the states and local jurisdictions that make up the majority (greater than 50%) of the effect of the state and local income tax category. So, for instance, if the entity’s state and local tax is primarily derived from taxes to the States of Maine and Massachusetts, this fact must be disclosed.

Entities other than public business entities are required to qualitatively disclose specific categories of reconciling items and individual jurisdictions that result in a significant difference between the statutory tax rate and the effective tax rate. Paragraphs 740-10-55-232 and 55-233 provide an illustration of these disclosures.

Income Taxes Paid

All entities now must disclose:

  1. The amount of income taxes paid (net of refunds received) disaggregated by federal (national), state, and foreign taxes
  2. The amount of income taxes paid (net of refunds received) disaggregated by individual jurisdictions in which income taxes paid (net of refunds received) is equal to or greater than 5% of total income taxes paid (net of refunds received).

Other Disclosures

All entities now must disclose on an annual basis:

  1. Income (or loss) from continuing operations before income tax expense (or benefit) disaggregated between domestic and foreign
  2. Income tax expense (or benefit) from continuing operations disaggregated by federal (national), state, and foreign.

The ASU does eliminate the requirement for all entities to (1) disclose the nature and estimate of the range of the reasonably possible change in the unrecognized tax benefits balance in the next 12 months or (2) make a statement that an estimate of the range cannot be made.

This ASU is effective for public business entities for annual periods beginning after December 15, 2024. For entities other than public business entities, the ASU is effective for annual periods beginning after December 15, 2025. Early adoption is permitted. The ASU should be applied on a prospective basis although retrospective application is permitted.

The BerryDunn perspective

On the surface, this ASU may not seem important, as it only impacts disclosure. But the level of disaggregation required could make this ASU a time-consuming one to implement, especially for those entities that operate in many states and foreign jurisdictions. As indicated above, all entities now must disclose income tax expense and income taxes paid by federal, state, and foreign. This may require modifications to existing tax provision procedures to ensure this information is readily available come time to populate the income tax disclosures in your entity’s financial statements.

Conversations with those responsible for preparing the income tax provision should start now so the best process to accumulate the information needed for these new disclosures can be identified proactively, reducing, or possibly eliminating the amount of rework needed when it comes time to adopt this accounting standard. As always, please don’t hesitate to reach out to your BerryDunn team should you have questions.

FASB issues an ASU focused on income tax disclosures

Read this if your organization receives federal grants.

Navigating the ever-evolving landscape of federal grant management just got more manageable, as the Office of Management and Budget (OMB) has issued the latest revision of the Uniform Grants Guidance for 2024. It introduces several significant changes aimed at enhancing clarity, efficiency, and compliance in grant administration. The effective date for these changes is October 1, 2024. Here's a closer look at the most noteworthy updates.

Fixed amount awards and subawards

  • The threshold for fixed-amount subawards requiring prior written approval from federal agencies has been raised from $250,000 to $500,000, providing recipients with increased flexibility.

Equipment-related thresholds

  • The acquisition value threshold for defining equipment has been raised from $5,000 to $10,000, reducing administrative burdens for recipients. Similarly, the threshold for unused supplies has been increased from $5,000 to $10,000.

De minimis indirect cost rates 

  • The de minimis rate for indirect costs has been increased from 10% to 15% of modified total direct costs (MTDC), providing recipients and subrecipients with greater flexibility in cost allocation.
  • Recipients and subrecipients can opt for a lower de minimis rate than 15%.
  • OMB has adjusted the exclusion threshold of subawards from $25,000 to $50,000 for modified total direct costs.

Single audit

  • The threshold for mandatory single audits has been raised from $750,000 to $1 million in federal expenditures, reducing the audit burden on smaller recipients.

Additional updates of note:

Streamlined Notices of Funding Opportunity (NOFO)
The revised guidance is putting more emphasis on streamlining Notices of Funding Opportunity (NOFO). Federal agencies are encouraged to make NOFOs more concise, accessible, and transparent, ensuring that essential information is effectively communicated to potential applicants. By simplifying NOFOs and adopting plain language, agencies aim to reduce administrative burdens and enhance the accessibility of grant opportunities, particularly for underserved communities and organizations with limited capacity.

Enhanced data-driven decision-making
Under the new provisions, federal grant recipients are permitted to allocate a portion of their funding toward data management infrastructure, including the acquisition of software, tools, and technologies for data collection, analysis, and reporting. This investment in data infrastructure enables organizations to establish robust data systems, streamline data collection processes, and enhance data quality, ultimately facilitating evidence-based decision-making and program evaluation.


The Uniform Guidance 2024 changes introduce significant updates aimed at improving accessibility, streamlining processes, and promoting data-driven decision-making in federal grant management. As organizations strive to implement these revisions effectively, partnering with experienced consultants can provide invaluable support. Reach out to BerryDunn today if you have any questions about the new updates of your specific situation. We’re here to help.

Uniform grants guidance 2024: Key updates

Amidst the cycle of public health underfunding, and in the shadows of the COVID-19 pandemic, agencies are trying to find financial stability in a space that has seen volatile and drastic changes in recent years. According to the National Association of County and City Health Officials, “The sustainability of the governmental public health system depends on the financial health of state and local public health agencies.” With this co-dependency of successful and sustainable public health services to financial stability, it is imperative to have a workforce that understands their obligations to effectively manage public funds.

A public health workforce in need of training

According to the 2021 Public Health Workforce Interests and Needs Survey (WINS), 54% of public health employees across the nation identified budget and financial management as a strategic skill that is highly important to their role but their proficiency in the area is low. This category outranked all other training needs assessed including change management, community engagement, and strategic thinking.

To help public health state agencies target budget and fiscal management training needs for their workforce, a comprehensive assessment can be utilized to examine four domains of administrative management activities with a focus on financial management. These four domains and topic areas include:

Domain Topics

Planning, execution, and program implementation

Policies, processes, procedures, and practices

Budget and performance monitoring, reporting, and closeout


Subgrant award and monitoring

Workforce (staffing, roles, responsibilities, onboarding, competencies)

Executive oversight

Data, systems, and information

Program alignment

Risk and priority

Reviewing these areas can help an agency assess its current decision-making and grant management processes to identify challenges that may lead to opportunities. Opportunities highlight what an agency can do with available resources to support equitable services. The opportunities are then used to inform a roadmap for process improvement and identify action items with a focus on training, policy development, monitoring, and communication. The roadmap defines an implementation strategy with measurable benchmarks and outcomes.

Overall, a comprehensive assessment can kickstart a strategic planning cycle developed to encourage fair and impartial administrative practices that adhere to federal regulations and offer opportunities to leverage additional funds in the future.

Using this framework, your public health agency can begin to manage administrative services wisely and fully leverage funding that can have the greatest impact on population health in the regions you serve. Ask “What are we doing to set up administrative routines for our agency that support equitable services?” and “How are we equipping our staff with the tools needed to effectively leverage resources that promote and improve population health?”

BerryDunn is experienced and poised to support cross-agency governance teams to undertake assessment and implementation activities. Through collaboration with agency leaders, BerryDunn’s team can facilitate discovery of opportunities for improvements in governmental budgeting and finance training, process improvement, development of finance tools and resources, and enhance communication and coordination between program and finance staff.

Learn more about how BerryDunn can support your agency in achieving these goals. If you have a specific question or if you'd like to set up an informational meeting with our team, please contact Julie Sullivan, Senior Manager and Practice Lead.

Financial management for public health systems: The path to building sustainable services

Read this if you are an administrator, compliance officer, or health information management/medical records professional at a Medicare skilled nursing facility.

The Office for Civil Rights (OCR) at the US Department of Health and Human Services is responsible for ensuring patients’ rights to timely access to health records. Since the start of 2024, the OCR has issued two settlements with skilled nursing facilities (SNFs) under the OCR Right of Access Initiative. Both settlements were related to potential violations under the Health Insurance Portability and Accountability Act (HIPAA) Right of Access provision, which requires that individuals or their personal representatives have timely access to their health information.

As a HIPAA-covered entity, a SNF must provide access to the individual’s protected health information within 30 days of receiving a request from the patient or the patient’s personal representative, such as a guardian. In both recent SNF right of access cases, the OCR noted that access was not provided to the patients’ personal representative in a timely manner (161 days and 323 days, respectively). 

Both settlements, which were published on the OCR’s website, led to the imposition of significant civil money penalties (CMPs) against the SNFs. In one case, the OCR imposed a CMP of $100,000, which was not contested by the SNF. In the second case, the SNF challenged the imposition of a $75,000 CMP and agreed to a $35,000 settlement.

Other non-financial outcomes of an OCR Right of Access Settlement

In addition to the financial and reputational implications of an OCR Right of Access Settlement, a SNF must also undertake the following actions:

  • Revise and obtain the OCR’s approval of any noncompliant HIPAA policies and procedures (P&P) 
  • Provide the OCR with copies of all training materials that the SNF must use to train its workforce about the revised HIPAA P&P
  • Submit and obtain the OCR’s approval of the training plan outlining the topics to be covered, when the sessions will be held, and the names of the trainers
  • Send a signed attestation to the OCR documenting when the trainings have been completed


  • A patient or their personal representative may file a complaint directly with the Office for Civil Rights in writing, by email, by fax, or electronically via the OCR’s Complaint Portal
  • Subject to certain exceptions, the Privacy Rule at 45 CFR 164.502(g) requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the rule. The personal representative “stands in the shoes” of the individual and can act for the individual and exercise the individual’s rights.

Actionable items to help ensure compliance with the Privacy Rule

  • Periodically (we suggest at least annually) check your SNF’s policies, procedures, and workflows that focus on access to medical records. We recommend you review:
    • Documentation of the turn-around times (TATs) for processing requests
    • The process for informing your patient or the patient’s representative, in writing and within the initial 30-day period if a request for records cannot be accommodated within 30 calendar days (only one extension may be made for an additional 30 days)
    • That the correspondence template provides a written statement of the reasons for the delay and the date when the SNF will complete its action on the request
  • Confirm that your SNF’s access to medical records timelines complies with your state’s requirements, as they may be more restrictive than the federal regulations. For example, California requires a 15-calendar day turnaround time while Texas requires action within 15 business days. Be aware that the OCR issued a Notice of Public Rulemaking on December 10, 2020, proposing that its current 30-day rule be decreased to 15 days. This change in federal rules has not yet gone into effect, but it is still expected and your SNF should be prepared. 
  • Maintain a log of medical records requests, including date received, person requesting, response due date, person responsible for completion of the request, and person assigned to review the record prior to release (such as Director of Nursing, Administrator) for completeness. 
  • We also recommend reviewing BerryDunn’s resource, Best Practices for Responding to Medical Record Requests in Healthcare Compliance Insights.

Need help assessing your SNF’s HIPAA program? BerryDunn can help.

BerryDunn’s SNF operations, compliance, and HIPAA privacy experts can answer your questions and provide an external review of policies, procedures, workflows, and training tools. Please contact Trisha Lee, Robyn Hoffmann, or Olga Gross-Balzano


SNFs and HIPAA Right of Access: Understand the requirements and avoid costly penalties

At first glance, the healthcare patient check-in process seems straightforward. But when examined through the lens of your revenue cycle and patient experience, it’s one of the most important interactions for your team to get right.

Several key elements must be taken into consideration to create a smooth and simple patient check-in. Patient satisfaction is the tip of the iceberg. You want your patients to have a great experience that is efficient, easy-to-understand, and doesn’t create billing headaches for them later on. The good news is that the same techniques that give your patients a good experience also form the basis for an optimal revenue cycle. Developing this process starts with the undersurface elements that patients never see.

Scripting for patient access teams

Communicating clearly, consistently, and positively is important to put patients at ease, and to make sure that you collect the most accurate and up-to-date information from patients. Doing this correctly up front will save time and will prevent denials and associated workload and revenue loss. The best practice is to establish scripting for your patient access staff and provide training to make sure they are confident in the scripting provided. Here are some examples:

When confirming that patient information is up to date:

Say this: “To ensure your account is as accurate as possible, we require all patients to present a minimum amount of information.”

Not that: “Have there been any changes in your information since the last time you were here?”

Or when connecting a self-pay patient with a financial counselor:

Say this: “Before scheduling your appointment, I will connect with a financial counselor who can determine if you qualify for assistance and will help you understand your financial obligations.”

Not that: “We can’t schedule you until you speak with someone in Finance.”

Developing clear and efficient scripting will give your team the tools to communicate effectively and will help your patients feel like they are well taken care of.

Schegistration: What is it? 

What is “schegistration” anyway? Schegistration is the process of scheduling a patient appointment while also pre-registering the patient at the same time. By gathering and confirming information at the time of scheduling, the in-person check-in process will have fewer steps and will be quicker and easier for both the patient and your team.

Technology: Align your EHR with patient access workflows

Technology, specifically your Electronic Health Record (EHR), can either make your workflows more efficient, or can hinder your patient access staff. It’s important to align your technology platforms with your operational workflows, so it is seamless for your staff to enter and pull up information. It’s also important to have your staff trained regularly on your technology systems so they feel confident that they are using the system correctly and most efficiently.

Documentation: Write it down! 

When you develop new workflows to increase efficiency and the patient experience, it can be challenging for staff to make the change. In a busy office environment, it can also be difficult to train new staff effectively. To make it easy and to create consistency and continuity, it’s important to develop standard operating procedures and to document them thoroughly. Providing easy to understand instructions, including visuals of workflows, will reduce errors, promote standardization, and improve accountability.

Leadership: Reinforce best practice workflows

Keeping workflows optimized takes the whole team, beginning with leadership. The leaders of your patient access team should act as reinforcement when team members learn and complete best practice check-in workflows. Having documentation readily available and providing support and encouragement to team members will help keep your processes running smoothly.

Patient access team collaboration

Establish clear expectations to foster a supportive team environment and facilitate problem-solving and quick assistance. When scripting, workflows, and documentation are consistent, it’s easy for team members to help each other out and support each other when challenges arise.

The healthcare revenue cycle is an intricate system involving interdependent functions. Like an ecosystem, each component plays an important role in the system. The patient access process is just one piece of the puzzle. Optimizing your revenue cycle also includes looking at these areas: coding and compliance, billing, and denial management.

BerryDunn's audit, tax, clinical, and consulting professionals, focused on specific healthcare industry areas, understand the biggest challenges facing healthcare leaders, and are committed to helping you meet and exceed regulatory requirements, maximize your revenue, minimize your risk, improve your operations—and most importantly—facilitate positive outcomes. Learn more about our healthcare consulting team

Optimizing revenue cycle processes: Patient check-in