Skip to Main Content

Read this if you are a board member, C-suite, or accounting professional at a financial institution.

Congratulations! For most financial institutions across the US, 2023 marked the first full year of CECL (Current Expected Credit Losses, or Accounting Standards Codification (ASC) 326 – Credit Losses ) adoption. The sweeping changes brought about by CECL may have felt like dealing with the accounting version of a 100-year flood. As accounting and finance professionals are wrapping up year-end audits, disclosures, and annual reports, perhaps many are breathing a well-earned sigh of relief. Celebrations certainly are in order for accomplishing the most significant change in bank accounting ever during one of the most uncertain few years in recent history. 

As with any major change event, CECL is not a one-and-done situation. There is an aftermath that needs addressing—a look-back assessment, clean-up, renovation—and consideration for what it means to move forward confidently in this “new normal.” Here are some things to consider as you enter this next phase.

The key questions test

After you have been zooming in on the details of CECL for the past several years, now is the right time for you to pan out and consider the broader view. After all the time and energy spent working on CECL, now is a good time for you and your team to look at how well you can confidently, succinctly, and consistently answer these key questions:

  1. How does your model work?
  2. How do you assess adequacy and assure consistency?
  3. Where are the risks?
  4. What controls are in place?
  5. Where are the opportunities for improvement?
  6. How are model changes handled? 

More importantly, if none of you were there to answer those questions, is there sufficient documentation available that someone else could? Now that CECL is your new ongoing reality, it is critical that you can demonstrate understanding, both conversationally and also in formal documentation. When it comes to model documentation and direct or related policies, procedures, and controls, the ultimate litmus test is that an independent third party could both understand and replicate what you’re doing. This should be true no matter if the independent third party is internal or external to your organization. 

Tip: Record your answers to the key questions above. Then hand someone in your organization who is not directly involved with the ACL process your model documentation to review and then ask them to explain back to you how your model works. How different are their answers and understanding from yours? This also works well to test specific procedures or processes.

Common themes or issues

One of the benefits of partnering with financial institutions across the US is the ability to pick up on common themes, trends, and issues—areas of opportunity to enhance and refine approaches to CECL. From this work, we offer the following observations and tips:

Change management  

In our experience, few institutions have a formal process in place for how CECL model changes are to be handled from here, yet this is a crucial component of model risk management. A good change management process includes how changes—either by the vendor or the institution—are to be assessed, how much analysis is expected, what level of review and approval (including by the board) is required, and how quickly the changes are to take effect. There should also be confirmation that the changes were implemented. For a risk-based approach to model change management, consider which types of changes create the most risk to your institution’s model or create the most volatility in reserve estimation outcomes, and match that risk to the level of assessment and approval authority required. 

Tip: An approval form cover sheet summarizing the changes and impacts along with maintaining a change log will help you evidence, track, and monitor these changes over time. 

Qualitative (Q Factor) support

We’ve seen a wide variety of methods and methodology construction under CECL, but one thing they have in common is a lack of real support for qualitative adjustments. Even with software integration and modeling techniques, it remains up to management to document their rationale for when, why, and to what extent qualitative adjustments are needed. It is a baseline expectation that management can describe what risk of loss is already accounted for in the quantitative model, what internal and external conditions and factors they are uniquely monitoring for each qualitative adjustment category they feel is needed, and how they determine to what extent adjustments should be made. If this adjustment is based on designating when risk is moving from low to medium to high, management should be able to indicate what triggers a move among these risk levels. One quick example for illustrative purposes: what range of delinquency rates for your institution is typical of a “neutral” risk level, or of a low- vs. moderate- vs. high-risk level? 

Tip: A simple spreadsheet documenting these critical aspects of management’s qualitative framework can go a long way to make sure this process is transparent and provides insight into any risk of reserve layering. 

Vendor risk

Assessing and managing vendor risk is a big topic. For some of the same reasons we saw an increased use of vendor solutions to comply with CECL, we’ve also seen what could be characterized as an over-reliance on vendors. One area we’ve found that needs some additional attention is the financial institution’s review and assessment of both their CECL model vendor’s SOC-1 Type-2 report and of any model validation the vendor may have contracted for separately. It isn’t always easy reading through and understanding these documents; however, it is vital to your assessment of the risk and controls the vendor has in place over these models and systems they have developed that you are relying on for the largest estimate in your financial statements.

Knowing what you’re looking for is key. For example, user entity controls are identified in the SOC report and often, for CECL, mean that controls need to be in place in multiple areas of the institution. If your vendor has had their model(s) independently validated, we encourage a close read of this work, as it should alert you to any limitations of that validation, such as feeder models that were not validated. 

Tip: Become familiar with the new supervisory interagency guidance on Third-Party Risk Management (June 2023) and the vendor life cycle. Doing so should help you assess gaps in your current approach to CECL vendor risk management. 

CECL resources

No matter your CECL challenge or pain point, our team of experts is here to help you navigate the requirements as efficiently and effectively as possible. We’d love to hear from you, or please feel free to explore our CECL resources to help you along the way.

CECL: Trends and post-adoption opportunities

Read this if you are responsible for cybersecurity or are a member of a board of directors for a company or a nonprofit organization.

I recently joined the board of directors of a local nonprofit organization that addresses homelessness and food insecurity in our community. While it is a larger, well-established organization, it still needed cybersecurity support. For me, it is a meaningful way to give back using my expertise while improving the risk posture and security practices of the organization. In my opinion, the most critical area any board of directors should be addressing, along with establishing and mitigating risk, is incident preparedness. The board should require and receive reports on incident management programs, and if they are in place, they should be tested on a frequent basis. 

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies and nonprofit organizations in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

For nonprofit boards, having an expert with cybersecurity skills as a board member may bring in needed guidance and expertise to an organization that may have limited resources, but is impacted by cybersecurity risks. It can be a valuable way to bring in advisory and oversight where it may be needed.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cybersecurity risks for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.


  • What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
  • Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
  • Has the cyber risk management plan been tested?
  • Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
  • Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
  • What percentage of our IT budget is dedicated to cybersecurity?
  • Does that allocation conform to industry standards?
  • Is it adequate based on our threat profile?
  • What are the stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
  • What is the interaction model between senior management and the board for communications regarding cybersecurity?
  • Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

  • How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
  • Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
  • Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

  • Does the board play an active part in determining an organization’s cybersecurity strategy?
  • What are the key elements of a good cybersecurity strategy?
  • Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
  • How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
  • How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

  • What are the potential cyber threats to the organization?
  • Who is responsible for management oversight of cyber risk?
  • Has a formal cyber assessment been performed? Does it need to be updated?
  • Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
  • What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
  • Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

  • Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology, and are those individuals empowered to carry out those responsibilities?
  • Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
  • Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others make it a direct or “dotted line” reporting to the CEO.)
  • Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

  • Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
  • What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
  • How effective are the organization’s risk management activities and controls identified in the assessment?
  • Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
  • Are there controls in place to ensure adequate, accurate, and timely reporting of cybersecurity-related content?
  • How does the company remain apprised of laws and regulations and ensure compliance?
  • What cloud services does our organization use and how risky are they?
  • How are we protecting sensitive data? Do we know what types of data the organization maintains? 

Threat intelligence and collaboration

  • What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
  • Does our organization share threat intelligence with law enforcement?
  • What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
  • What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

  • Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
  • How regularly should a board obtain IT metric information?
  • Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
  • How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

  • How does management validate the type and volume of cyber-attacks?
  • Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
  • How does an incident response and recovery plan fit into the overall cybersecurity strategy?
  • Is the board’s response role clearly defined?
  • Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
  • Is there a culture of cyber awareness and reporting at all levels of the company?
  • Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

  • How does the board remain current on cybersecurity developments in the market and the regulatory environment?
  • Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
  • Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
  • Are directors provided with educational opportunities in this area?
  • Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

  • Has oversight of cybersecurity reporting been defined for management and the board?
  • Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise, and its oversight of cybersecurity risk being included within the financial statement and proxy disclosures?
  • Does the company have a mechanism for timely reporting of material cybersecurity incidents?
  • Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

Board oversight of cybersecurity: Questions to ask

Read this if you are a board member or responsible for providing CECL information to your board.

We’ve heard so much about Current Expected Credit Losses (CECL) in the past few years leading up to its adoption by all remaining financial institutions in recent calendar year-end financial statements. The focus has been, rightfully so, on its actual adoption—making sure policies and procedures are adjusted to appropriately account for the new standard and that financial statement disclosures comply with the new requirements. With year-end 2023 largely concluded, and people having had the chance to catch their breath, the focus understandably shifts to how best to optimize CECL for the long haul. Although we like to think the hard part (i.e., adoption) is behind us, which is certainly a reason to celebrate, there are questions that may need answers. One of those is figuring out how much CECL information should you provide to your board and how often.

We often get inspiration in answering this question from Goldilocks: not wanting to provide too much information but also not providing too little—you want to provide just enough. This means providing enough information so board members can knowledgeably assess the adequacy of the allowance and provide robust challenge while not getting so much information that they could, in theory, reperform the calculation themselves. Some items to consider including in your board communications are:

Key inputs and assumptions

There are likely many inputs and assumptions that go into your CECL calculation, all of which bear some impact on your overall allowance. You likely identified those inputs and assumptions that are most important to your calculation when implementing the standard. Best practice is to have documented these key inputs, assumptions, and management’s rationale for them in a model document, and include a monitoring schedule in your ACL policy for the  frequency in which they will be reviewed and updated— and under whose authority review and approval is required.

Of course, each period, any changes requiring board approval will need to be disclosed to the board. But as part of your ongoing disclosure to the board, consider providing an overall summary of key inputs and assumptions and highlighting any that shifted in the prior period. This may include prepayment speeds, forecasting models, forecast length, reversion length, and probability of default and loss given default, aging buckets. This summary could be in narrative form, but it may be more effective to provide it in a list: showing the inputs and assumptions period-over-period and explaining any significant changes. This will allow your board to quickly assess what has changed and effectively challenge those changes.

Analytics and trends

Analytics can be an effective tool in assessing your allowance calculation. We recommend incorporating analytics into management’s own review of the allowance calculation, as a final check before approving the calculation for the period. Many of these analytics could likely be recycled and provided to boards as part of your reporting. Some analytics to consider using are:

  1. Changes in the allowance period-over-period, possibly broken up by financial asset type
    For instance, for financial institutions, the financial asset type could be its various loan portfolio segments. For commercial entities, it could be the age of the receivables. Set a variance threshold for any changes period-over-period and investigate those changes that meet this threshold. The resulting explanations can then be incorporated into your board reporting.
  2. Charge-off trends
    Examine historical charge-off activity, looking for any significant changes over recent periods. Although recent charge-off activity may not be in direct correlation to your allowance levels, given the CECL requirement related to reasonable and supportable forecasts and the use of forward-looking information, recent trends in charge-off activity could prove to be useful information for boards. If there are significant differences in recent charge-off levels vs. your current allowance, this may beg an explanation as to why. Consider presenting your charge-off activity in the form of an analytic, such as charge-offs as a percentage of credit loss expense.
  3. Delinquency trends
    Consider providing the board information on the payment status of your outstanding receivables, likely the largest financial asset subject to CECL. Past due buckets, for instance, segregating your receivables by days past due can be useful information for the board. Again, providing a period-over-period comparison can make the analysis that much more powerful. The usefulness of this information may vary, as it is possible past due status is an input into your allowance calculation or qualitative adjustment methodology. Thus, the way in which this analytic is discussed with your board will likely vary depending on your allowance calculation.

Peer comparison

One of the more challenging aspects to CECL is finding good comparisons. Because there is so much leeway given to adopters under CECL for how to construct their methodology, we advise that peer comparisons be used with caution. However, peer comparisons should not simply be ignored for this reason. Peer comparisons can provide valuable insights into how like-kind companies are approaching their allowance calculations and reserve-level expectations. The emphasis now is on determining which peers are truly like-kind to you in the context of CECL and covered financial assets. Again, peer results may vary significantly from your own company’s results, but such differences may lead to you and your board to consider if those are really your peers, or to challenge your own model outputs, inputs, and assumptions.

CECL or Allowance for Credit Losses (ACL) policies

Maintaining a CECL or Allowance for Credit Losses (ACL) policy is an important part of overall governance. This policy should not go into as much detail as other model development, design, and calculation procedural documents. But it should address governance roles and responsibilities, authority, and required model risk management activities and standards, in addition to ongoing monitoring and reporting. Review this policy on an annual basis and present it to the board for approval. This policy will also help dictate how much CECL information is provided to the board and will allow you to revisit how much information and what types of information are provided at least annually.

Finding that “just right” mix of information takes time and will vary depending on your company’s specific circumstances. Those companies in which their CECL calculation is a significant estimate will likely require more information than those companies in which CECL is less significant. Frequently ask your board if they feel as if they’re getting the right mix of information. Don’t be afraid to experiment with different reports and different levels of reporting. As always, if you have any questions or want some additional direction, please don’t hesitate to reach out to your BerryDunn team.

Providing CECL information to your board: Best practices

Read this if you are involved in recruiting board members.

Board members serve as the backbone of companies and organizations across industries. They provide direction, oversight, and strategic guidance. Selecting the right people to serve on your board is important for the success of your organization. Here are some things to consider as you look for board members that fit your needs.

  • Identify and understand your needs
    Before initiating the recruitment process, identify the specific skills, experiences, and perspectives your board lacks or skills that could enhance board and organizational effectiveness. This can vary depending on what your board needs, but often includes financial acumen, legal knowledge, extensive management experience, and industry connections.
  • Outline the roles, responsibilities, time commitments, and expectations
    Be transparent about your mission, values, and the challenges you face. This clarity will attract candidates who match your goals and can fully understand what they're signing up for.
  • Reach out to your existing network
    Personal recommendations often yield high-quality candidates who are already familiar with your work and business. You could also consider spreading the word through company communications like newsletters and bulletins, social media, and events.
  • Actively seek out candidates from different age groups, ethnicities, genders, professions, and geographic locations
    Diversity in background, perspective, and experience enriches discussions, fosters innovation, and ultimately better serves your organization. 
  • Screen candidates thoroughly
    Implement a rigorous selection process to assess candidates' qualifications, commitment, and alignment with your values. Conduct interviews to gauge their passion for the business, leadership style, and ability to collaborate effectively. Consider requesting references and conducting background checks if deemed necessary.
  • Provide orientation and training
    Once selected, provide comprehensive orientation and continuous training to new board members. Familiarize them with your history, programs, governance structure, and strategic priorities. Offer opportunities for professional development to enhance their effectiveness in fulfilling their roles.
  • Engage the board
    Cultivate a culture of active participation, open communication, and accountability among board members. Encourage them to contribute their unique perspectives, skills, and networks to advance your goals. Establish expectations, evaluation mechanisms, and term limits to ensure accountability and prevent stagnation.
  • Nurture a supportive and inclusive board culture where members feel valued and empowered
    Celebrate achievements, recognize contributions, and cultivate camaraderie through team-building activities and meaningful interactions.
  • Regularly evaluate the effectiveness of your board composition, dynamics, and processes
    Solicit feedback from board members, staff, and stakeholders to identify areas for improvement and adaptation. Be willing to make necessary adjustments to ensure the board remains agile, responsive, and aligned with your evolving needs and goals.

By following these steps and approaches, your team can assemble a dynamic and dedicated board of directors equipped to navigate challenges, seize opportunities, and drive meaningful impact for your company or organization.

Finding the right fit: Recruiting board members

Read this if you are responsible for your company’s income tax provision and disclosures.

In December 2023, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) No. 2023-09, Income Taxes (Topic 740): Improvements to Income Tax Disclosures. Although this ASU does not impact the accounting for income taxes, it does impact the disclosures of such and is applicable to all entities subject to income taxes. According to the FASB, “the Board is issuing the amendments…to enhance the transparency and decision usefulness of income tax disclosures. Investors, lenders, creditors, and other allocators of capital indicated that the existing income tax disclosures should be enhanced to provide information to better assess how an entity’s operations and related tax risks and tax planning and operational opportunities affect its tax rate and prospects for future cash flows.”

The main components of the FASB’s ASU can be broken down into three areas, as done so in the ASU itself:

  1. Rate Reconciliation
  2. Income Taxes Paid
  3. Other Disclosures

Rate Reconciliation

This amendment is only for public business entities. Public business entities have always been required to provide a rate reconciliation, reconciling income tax expense at the statutory rate to the entity’s effective tax rate. This rate reconciliation could be displayed in amounts or percentages. ASU No. 2023-09 requires this rate reconciliation be displayed in both amounts and percentages and also identifies the following specific categories that must be disclosed:

  1. State and local income tax, net of federal (national) income tax effect
  2. Foreign tax effects
  3. Effect of changes in tax laws or rates enacted in the current period
  4. Effect of cross-border tax laws
  5. Tax credits
  6. Changes in valuation allowances
  7. Nontaxable or nondeductible items
  8. Changes in unrecognized tax benefits

There is also a requirement that any reconciling item greater than 5% of the statutory income tax expense be separately disclosed, even if not one of the specific categories identified in the ASU. Furthermore, this 5% threshold applies to the cross-border tax laws, tax credits, and nontaxable or nondeductible items categories, meaning that if the reconciling item is within these categories and is above the 5% threshold, the item must be disaggregated by its nature. The 5% threshold also applies to the foreign tax effects category in that this category is required to be disaggregated by jurisdiction (country) and by nature if meeting the 5% threshold.

For example, let’s say an entity has research and development tax credits as well as energy-related tax credits, both of which are in excess of the 5% threshold. These tax credits would be required to be separately disclosed. However, let’s say tax credits in total are below the 5% threshold. In this case, tax credits would still need to be separately disclosed, as they are one of the specific categories identified in the ASU but would not need to be further disaggregated.

For the state and local category, a public business entity is required to provide a qualitative description of the states and local jurisdictions that make up the majority (greater than 50%) of the effect of the state and local income tax category. So, for instance, if the entity’s state and local tax is primarily derived from taxes to the States of Maine and Massachusetts, this fact must be disclosed.

Entities other than public business entities are required to qualitatively disclose specific categories of reconciling items and individual jurisdictions that result in a significant difference between the statutory tax rate and the effective tax rate. Paragraphs 740-10-55-232 and 55-233 provide an illustration of these disclosures.

Income Taxes Paid

All entities now must disclose:

  1. The amount of income taxes paid (net of refunds received) disaggregated by federal (national), state, and foreign taxes
  2. The amount of income taxes paid (net of refunds received) disaggregated by individual jurisdictions in which income taxes paid (net of refunds received) is equal to or greater than 5% of total income taxes paid (net of refunds received).

Other Disclosures

All entities now must disclose on an annual basis:

  1. Income (or loss) from continuing operations before income tax expense (or benefit) disaggregated between domestic and foreign
  2. Income tax expense (or benefit) from continuing operations disaggregated by federal (national), state, and foreign.

The ASU does eliminate the requirement for all entities to (1) disclose the nature and estimate of the range of the reasonably possible change in the unrecognized tax benefits balance in the next 12 months or (2) make a statement that an estimate of the range cannot be made.

This ASU is effective for public business entities for annual periods beginning after December 15, 2024. For entities other than public business entities, the ASU is effective for annual periods beginning after December 15, 2025. Early adoption is permitted. The ASU should be applied on a prospective basis although retrospective application is permitted.

The BerryDunn perspective

On the surface, this ASU may not seem important, as it only impacts disclosure. But the level of disaggregation required could make this ASU a time-consuming one to implement, especially for those entities that operate in many states and foreign jurisdictions. As indicated above, all entities now must disclose income tax expense and income taxes paid by federal, state, and foreign. This may require modifications to existing tax provision procedures to ensure this information is readily available come time to populate the income tax disclosures in your entity’s financial statements.

Conversations with those responsible for preparing the income tax provision should start now so the best process to accumulate the information needed for these new disclosures can be identified proactively, reducing, or possibly eliminating the amount of rework needed when it comes time to adopt this accounting standard. As always, please don’t hesitate to reach out to your BerryDunn team should you have questions.

FASB issues an ASU focused on income tax disclosures