Skip to Main Content

Read this if you are a nonprofit organization or NFP healthcare organization operating in the state of Maine.

On April 22nd, Maine Governor Janet Mills signed a bill that includes a blanket sales and use tax exemption for all 501(c)(3) organizations. This exemption, effective January 1, 2025, will provide relief to nonprofits and bring clarity to Maine's sales and use tax laws. Prior to the blanket exemption, only specific exemptions were provided for different kinds of nonprofit organizations, such as hospitals, schools, churches, libraries, etc., and this has caused confusion for some Maine nonprofits who are unsure if they meet the requirements for these exemptions.

The blanket tax exemption was propelled by the lobbying efforts of the Maine Association of Nonprofits as well as hundreds of other organizations across the state. This new exemption brings Maine up to speed with all other states in New England that currently provide a blanket sales tax exemption to nonprofits. Maine Revenue Services estimates that over 5,000 organizations will be eligible for the new exemption.  

What to know about the sales and use tax exemption

This exemption will not be granted automatically. Organizations will still need to apply for an exemption certificate. Maine Revenue Services is currently developing the new application form, which will be made available through their website.

Part of this new tax law will include a safeguard to prevent any misuse of the exemption. All exempt purchases made by these charities must be used primarily toward supporting the organization’s mission or exempt purpose.

The exemption will be broadened to include all 501(c)(3) organizations, regardless of whether they are incorporated in Maine. Therefore, 501(c)(3) organizations from other states should be eligible to apply for an exemption certificate for purchases made in Maine, as long as these purchases are used to primarily support their mission.

IRS Determination Letter

Maine Revenue Services has hinted that the only additional documentation needed from the applicants will be a copy of their IRS Determination Letter. All organizations interested in applying for the new exemption should make sure they have a copy of their IRS Determination Letter on hand. If you cannot locate this letter, a copy can be obtained from the IRS through the filing of Form 4506-B.

What about sales made by a 501(c)(3) organization in the state of Maine?

The new law does not provide any sales tax exemptions to sales made by a nonprofit organization. If the nonprofit makes sales to the public on a regular basis, the items sold are still likely subject to sales tax. It is the responsibility of the organization to register with the state of Maine as a retailer and collect and remit sales tax on any items sold.

There are exceptions to collecting and remitting sales tax for the sale of items that are not regularly carried on. For example, if an organization is holding a fundraising event and has a booth set up where they are selling merchandise to attendees, this may qualify as casual or infrequent sales. In this case, the organization would not be required to collect and remit sales tax on the merchandise sold at the event.

Sales and use tax exemption: Conclusion

The blanket sales and use tax exemption for all 501(c)(3) organizations marks a significant and long-awaited victory for Maine nonprofits. Once developed, the new application should streamline the process of applying for the exemption and relieve any uncertainty around eligibility requirements to receive the exemption.

We will continue to monitor any new developments with the exemption and will provide an update once the application is made available. In the meantime, if you have any questions regarding sales and use tax for nonprofits, please contact a member of our NFP Tax Team.

A victory for Maine nonprofits: Blanket exemption from sales and use tax

On May 28, 2024, the Governmental Accounting Standards Board (GASB) issued guidance intended to enhance the clarity, consistency, and usefulness of financial statements for state and local governments. These enhancements will help advance key components of the financial reporting mode, or as GASB calls it, “the blueprint for governmental financial reports.” 

GASB Statement No. 103, Financial Reporting Model Improvements, builds on GASB Statement No. 34, Basic Financial Statements – and Management’s Discussion and Analysis – For State and Local Governments, which was issued in 1999. The new enhancements are designed to:

  • Enhance the effectiveness of governmental financial reports by focusing on essential information for decision-making and assessing a government’s accountability
  • Address certain application issues

GASB Statement No. 103, Financial Reporting Model Improvements, changes existing requirements related to:

  • Management’s discussion and analysis (MD&A)
    • Expands upon the need for why balances changed
  • Unusual or infrequent items (previously known as extraordinary and special items)
    • Should be shown separately in financial statements
  • Presentation of the proprietary fund statement of revenues, expenses, and changes in fund net position
    • Requires subtotals for operating income (loss) and noncapital subsidies be presented before reporting other nonoperating revenues and expenses
  • Major component unit information
    • Must be reported separately in the statement of net position and statement of activities
  • Budgetary comparison information
    • Should be presented as Required Supplementary Information (RSI) and significant variance must be explained in the notes to the RSI

What does this mean for your governmental entity? 

GASB Statement No. 103 enhances the financial reporting process, adding more information for oversight bodies and readers of the financial statements. As you plan your fiscal year 2026 financial statements, you will need to incorporate these changes into your reports. 

Effective date

These new standards are effective for fiscal years beginning after June 15, 2025, and all reporting periods thereafter. Our Governmental Accounting team can help you navigate and implement this new statement. Be on the lookout for further information from our governmental accounting team as we further analyze the impact of this new standard and develop templates.

GASB modernizes financial reporting model

Read this if you are a CEO, CFO, COO, CIO, or board member of a hospital or health system.

There was an era in the early 2000s (that coincided with the introduction of Meaningful Use) when the term electronic health record (EHR) had a distinct meaning and scope. At that time, when we spoke about EHRs, we were referring to the replacement of paper charts with an automated electronic system.

The industry was using the term EHR in an era when a “best-of-breed” software strategy was prevalent and health systems had different EHRs in their inpatient units, clinics, emergency departments, and senior living communities. The scope of EHR projects in this era was smaller and more incremental in change. For example, an ambulatory EHR project may have only been adding clinical components to the existing registration, scheduling, and billing modules. The changes were small, incremental, and manageable.

Today’s EHR projects

Fast forward to today and while both the meaning and scope of the EHR have shifted, we still use the same terminology. Now, when we talk about EHR projects, we mean replacement of the majority of the current software vendors a health system may have with an integrated solution from a single vendor (or a couple of vendors). We are talking about clinical, ancillary, financial, and operational departments, in addition to single problem lists, integrated charge description masters, and one patient portals. Here is an example of the scope of what an EHR project can include today:

  • Clinical modules, including areas such as pharmacy, primary care, acute care, physical therapy, and emergency medicine
  • Financial modules, including claims, payment processing and posting, denial management, and A/R follow-up and appeals
  • Ancillary modules, including mammography, radiology, and laboratory information systems
  • Operational and reporting modules, including analytics, quality metrics, and surveillance of high-risk patients 
  • Population health and interoperability, including patient registries, case management solutions, and connections with post-acute care settings and community care providers
  • Technical modules, including integrated faxing, interfaces, and cloud-based services 
  • Human capital management modules, including recruiting, training, payroll, and performance management 
  • Supply chain modules, including perpetual inventory and real-time supply charging 
  • Patient engagement modules, including patient portals, self-service tools, and integration with home medical devices 
  • Specialty modules, including labor and delivery, anesthesia, oncology, and behavioral health 

So, as you can see, the scope of the modern-day EHR is massive, yet we still use the same term, which may be doing a disservice to organizations by not illustrating the significant scope of modern-day EHR transformations. Hospital boards and senior leadership teams thinking of EHR projects with 2000s expectations only to face the challenge of a 2024 EHR scope during implementation may face the harsh realities of increased stress, the potential of staff turnover, and more challenging projects.

New name for a new era

It may be time to move beyond the term EHR to one that better reflects the scope of the projects we are working with today. So, what should that term be? Hospital Information Systems (HIS) has a broader scope but feels dated and not very descriptive. Enterprise Resource Planning (ERP) has a large scope and meaning in other industries, such as manufacturing, but is really a subcomponent (GL, AP, etc.) of the system we are trying to name. So, what might be better? Here are some ideas:

  • Digital Healthcare Platform (DHP) This has some appeal as it incorporates the ideas of digital healthcare and an overall platform. We could see this helping leaders understand the full scope of these projects better with this term.
  • Enterprise Healthcare Platform (EHP)
    Replacing digital (above) with enterprise to help elevate the overall scope has some merits. 
  • Electronic Healthcare Delivery System (EHDS)
    Starting with a familiar sound to EHR with 'electronic healthcare' followed by a broader ending of 'delivery system' allows people to see it as a broader version of a familiar term. 
  • Healthcare Resource Planning (HRP)
    Taking a page from the manufacturing space with their ERP and Manufacturing Resource Planning (MRP) systems and creating a Healthcare Resource Planning term. Feels familiar and easy to say in a sentence, such as “Are your HRP and ERP systems optimized?” 
  • Electronic Healthcare Community Platform (EHCP)
    Similar to the suggestion of EHDS (above), but with a broader concept of community. This helps people think about larger-scale goals such as population health.

Of course, a new term won’t be settled by this article. Our goal is to start a conversation about changing our understanding and possibly our language to better reflect the scope of these projects. We want boards and senior leaders to understand the amount of change—and potential disruption—that occurs when they take on these projects. If your leaders can have a greater understanding of what is coming in advance, they will likely have a better chance of project success. 

We may begin using Enterprise Healthcare Platform and see if sticks, but we welcome reactions to this article and suggestions on a new and better term. If you have questions about this next evolution of EHR naming or your particular situation, please don’t hesitate to contact us. We’re here to help. 

It may be time to retire the term "Electronic Health Record"

Read this if you are a board member, C-suite, or accounting professional at a financial institution.

Congratulations! For most financial institutions across the US, 2023 marked the first full year of CECL (Current Expected Credit Losses, or Accounting Standards Codification (ASC) 326 – Credit Losses ) adoption. The sweeping changes brought about by CECL may have felt like dealing with the accounting version of a 100-year flood. As accounting and finance professionals are wrapping up year-end audits, disclosures, and annual reports, perhaps many are breathing a well-earned sigh of relief. Celebrations certainly are in order for accomplishing the most significant change in bank accounting ever during one of the most uncertain few years in recent history. 

As with any major change event, CECL is not a one-and-done situation. There is an aftermath that needs addressing—a look-back assessment, clean-up, renovation—and consideration for what it means to move forward confidently in this “new normal.” Here are some things to consider as you enter this next phase.

The key questions test

After you have been zooming in on the details of CECL for the past several years, now is the right time for you to pan out and consider the broader view. After all the time and energy spent working on CECL, now is a good time for you and your team to look at how well you can confidently, succinctly, and consistently answer these key questions:

  1. How does your model work?
  2. How do you assess adequacy and assure consistency?
  3. Where are the risks?
  4. What controls are in place?
  5. Where are the opportunities for improvement?
  6. How are model changes handled? 

More importantly, if none of you were there to answer those questions, is there sufficient documentation available that someone else could? Now that CECL is your new ongoing reality, it is critical that you can demonstrate understanding, both conversationally and also in formal documentation. When it comes to model documentation and direct or related policies, procedures, and controls, the ultimate litmus test is that an independent third party could both understand and replicate what you’re doing. This should be true no matter if the independent third party is internal or external to your organization. 

Tip: Record your answers to the key questions above. Then hand someone in your organization who is not directly involved with the ACL process your model documentation to review and then ask them to explain back to you how your model works. How different are their answers and understanding from yours? This also works well to test specific procedures or processes.

Common themes or issues

One of the benefits of partnering with financial institutions across the US is the ability to pick up on common themes, trends, and issues—areas of opportunity to enhance and refine approaches to CECL. From this work, we offer the following observations and tips:

Change management  

In our experience, few institutions have a formal process in place for how CECL model changes are to be handled from here, yet this is a crucial component of model risk management. A good change management process includes how changes—either by the vendor or the institution—are to be assessed, how much analysis is expected, what level of review and approval (including by the board) is required, and how quickly the changes are to take effect. There should also be confirmation that the changes were implemented. For a risk-based approach to model change management, consider which types of changes create the most risk to your institution’s model or create the most volatility in reserve estimation outcomes, and match that risk to the level of assessment and approval authority required. 

Tip: An approval form cover sheet summarizing the changes and impacts along with maintaining a change log will help you evidence, track, and monitor these changes over time. 

Qualitative (Q Factor) support

We’ve seen a wide variety of methods and methodology construction under CECL, but one thing they have in common is a lack of real support for qualitative adjustments. Even with software integration and modeling techniques, it remains up to management to document their rationale for when, why, and to what extent qualitative adjustments are needed. It is a baseline expectation that management can describe what risk of loss is already accounted for in the quantitative model, what internal and external conditions and factors they are uniquely monitoring for each qualitative adjustment category they feel is needed, and how they determine to what extent adjustments should be made. If this adjustment is based on designating when risk is moving from low to medium to high, management should be able to indicate what triggers a move among these risk levels. One quick example for illustrative purposes: what range of delinquency rates for your institution is typical of a “neutral” risk level, or of a low- vs. moderate- vs. high-risk level? 

Tip: A simple spreadsheet documenting these critical aspects of management’s qualitative framework can go a long way to make sure this process is transparent and provides insight into any risk of reserve layering. 

Vendor risk

Assessing and managing vendor risk is a big topic. For some of the same reasons we saw an increased use of vendor solutions to comply with CECL, we’ve also seen what could be characterized as an over-reliance on vendors. One area we’ve found that needs some additional attention is the financial institution’s review and assessment of both their CECL model vendor’s SOC-1 Type-2 report and of any model validation the vendor may have contracted for separately. It isn’t always easy reading through and understanding these documents; however, it is vital to your assessment of the risk and controls the vendor has in place over these models and systems they have developed that you are relying on for the largest estimate in your financial statements.

Knowing what you’re looking for is key. For example, user entity controls are identified in the SOC report and often, for CECL, mean that controls need to be in place in multiple areas of the institution. If your vendor has had their model(s) independently validated, we encourage a close read of this work, as it should alert you to any limitations of that validation, such as feeder models that were not validated. 

Tip: Become familiar with the new supervisory interagency guidance on Third-Party Risk Management (June 2023) and the vendor life cycle. Doing so should help you assess gaps in your current approach to CECL vendor risk management. 

CECL resources

No matter your CECL challenge or pain point, our team of experts is here to help you navigate the requirements as efficiently and effectively as possible. We’d love to hear from you, or please feel free to explore our CECL resources to help you along the way.

CECL: Trends and post-adoption opportunities

Read this if you are responsible for cybersecurity or are a member of a board of directors for a company or a nonprofit organization.

I recently joined the board of directors of a local nonprofit organization that addresses homelessness and food insecurity in our community. While it is a larger, well-established organization, it still needed cybersecurity support. For me, it is a meaningful way to give back using my expertise while improving the risk posture and security practices of the organization. In my opinion, the most critical area any board of directors should be addressing, along with establishing and mitigating risk, is incident preparedness. The board should require and receive reports on incident management programs, and if they are in place, they should be tested on a frequent basis. 

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies and nonprofit organizations in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

For nonprofit boards, having an expert with cybersecurity skills as a board member may bring in needed guidance and expertise to an organization that may have limited resources, but is impacted by cybersecurity risks. It can be a valuable way to bring in advisory and oversight where it may be needed.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cybersecurity risks for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.


  • What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
  • Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
  • Has the cyber risk management plan been tested?
  • Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
  • Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
  • What percentage of our IT budget is dedicated to cybersecurity?
  • Does that allocation conform to industry standards?
  • Is it adequate based on our threat profile?
  • What are the stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
  • What is the interaction model between senior management and the board for communications regarding cybersecurity?
  • Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

  • How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
  • Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
  • Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

  • Does the board play an active part in determining an organization’s cybersecurity strategy?
  • What are the key elements of a good cybersecurity strategy?
  • Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
  • How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
  • How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

  • What are the potential cyber threats to the organization?
  • Who is responsible for management oversight of cyber risk?
  • Has a formal cyber assessment been performed? Does it need to be updated?
  • Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
  • What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
  • Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

  • Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology, and are those individuals empowered to carry out those responsibilities?
  • Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
  • Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others make it a direct or “dotted line” reporting to the CEO.)
  • Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

  • Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
  • What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
  • How effective are the organization’s risk management activities and controls identified in the assessment?
  • Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
  • Are there controls in place to ensure adequate, accurate, and timely reporting of cybersecurity-related content?
  • How does the company remain apprised of laws and regulations and ensure compliance?
  • What cloud services does our organization use and how risky are they?
  • How are we protecting sensitive data? Do we know what types of data the organization maintains? 

Threat intelligence and collaboration

  • What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
  • Does our organization share threat intelligence with law enforcement?
  • What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
  • What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

  • Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
  • How regularly should a board obtain IT metric information?
  • Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
  • How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

  • How does management validate the type and volume of cyber-attacks?
  • Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
  • How does an incident response and recovery plan fit into the overall cybersecurity strategy?
  • Is the board’s response role clearly defined?
  • Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
  • Is there a culture of cyber awareness and reporting at all levels of the company?
  • Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

  • How does the board remain current on cybersecurity developments in the market and the regulatory environment?
  • Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
  • Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
  • Are directors provided with educational opportunities in this area?
  • Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

  • Has oversight of cybersecurity reporting been defined for management and the board?
  • Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise, and its oversight of cybersecurity risk being included within the financial statement and proxy disclosures?
  • Does the company have a mechanism for timely reporting of material cybersecurity incidents?
  • Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

Board oversight of cybersecurity: Questions to ask