electronic health records

In today's rapidly evolving business landscape, boards of directors are more than just stewards of governance—they are the strategic compass guiding an organization toward enduring success. As the challenges facing companies grow increasingly complex, from disruptive technological trends to shifting societal expectations, the board's role has never been more critical.  

This series is designed to empower board members with the insights and tools necessary to navigate change with confidence. Our experts, each a leader in their respective fields, will share real-world examples, practical frameworks, and actionable advice in a Q&A format, as well as lessons learned from their personal and professional journeys. 

Embedding security awareness and risk into organizational culture 

For the latest installment of our board leadership series, BerryDunn Financial Services Practice Group Senior Manager Lindsay Francis shares key insights on information security awareness and risk, including how to embed it in your organizational culture.  

Q. What is the current risk landscape and how do employee behaviors (e.g., phishing clicks, weak passwords) contribute to organizational exposure? 

A. Risks are part of everyday business and require an organizational culture of awareness and a commitment to staying up to date on changes—whether these are security risks directly affecting you or those that trickle down from your vendors. It’s important for every member of the organization to remain aware that their actions, or inactions, both help to protect and have the potential to undermine the security controls you or your vendors have put in place to protect your environment.  

There are times when security controls can seem cumbersome and appear to slow down processes, but when designed properly—which requires a balance of protection and allowing business-critical objectives to continue in a reasonable manner—those security controls help to keep the day-to-day processes running as smoothly as possible. Security incidents slow down the ability to perform important responsibilities.

Both phishing clicks and weak passwords continue to contribute to a large proportion of security breaches. Although this is not a new concept, security fatigue has added another risk where employees are overwhelmed by the constant threats, the need to scrutinize every email, and the long list of passwords and multifactor authentication techniques required to perform everyday tasks. This can lead to employees looking for loopholes, ignoring important security measures, or failing to identify threats. Organizational culture should help employees embrace the mindset that investing time in prevention is crucial to helping avoid incidents.

Q. How do you differentiate information security awareness from general IT training or technical cybersecurity programs? 

A. Information security awareness focuses on culture. The key is to help employees recognize risks and respond appropriately. IT training is more technical, with the purpose of teaching specific skills and procedures. Cybersecurity programs are broader, covering the technical aspects with security controls, incident response, and compliance, as well as education goals and training schedules to promote ongoing security awareness. 

Q. How does an organization help ensure security awareness is part of a broader, ongoing effort to build a security-conscious culture and not a one-time initiative? 

A. Security awareness needs to be included throughout the lifecycle of employees—from onboarding to regular training, as well as ongoing communications. Continuous learning cycles, including short learning modules and periodic phishing simulations, help reinforce secure behaviors. Leadership must champion security as a core value, and metrics should be used to measure progress. 

Q. What cultural challenges are organizations facing in terms of encouraging secure behaviors and how can they be addressed? 

A. Challenges can include resistance to change, security fatigue, a lack of understanding of the direct consequences to the employee’s day-to-day tasks in the event of a security incident, and insufficient leadership support. Addressing these requires leadership engagement, highlighting why it’s important, continuous training delivered in small exercises, and a focus on positive reinforcement. This last part is key—when employees feel punished for failing a training exercise, their attitudes can become another obstacle to overcome. When remediation training is required, it should be posed as a supportive measure to help create engagement and reeducation. Lastly, measuring and reporting on culture, not just compliance, is crucial to understanding where resistance and fatigue may linger. 

Q. How do organizations stay current with emerging security threats and adjust awareness training to address these new risks (e.g., AI-driven attacks, deepfakes)? 

A. Typically, the teams within IT, Risk, and/or Compliance are keeping up to date with new security trends and threats. It’s essential for organizations to use that knowledge to update awareness programs, communicate those to the organization, and coordinate with any training vendors on how to include new threats like AI-generated phishing and deepfakes into the ongoing training modules. Incident response exercises and real-world case studies can help employees recognize and respond to evolving risks. 

Q. How do software vendors fit into the cybersecurity ecosystem and what should the Board know about vendor risks? 

A. Gaining advantages in technology, operational efficiencies, and expertise does not come without a downside—vendor use comes with its own layer of risks. Although Software-as-a-Service (SaaS) providers are hosted in the cloud, which means they are not within your network, this does not prevent a breach of your vendor from reaching your network. Your security is only as strong as your weakest vendor’s security. Each vendor should be properly vetted from an information security perspective before a contract is signed. Functionality of the software cannot be the only driving factor.

The Board should review the organization's vendor management program and processes to look for gaps in both the initial scoping and onboarding steps, including whether a cross-functional approach is used to perform due diligence, as well as what the ongoing due diligence entails. For example, has research been performed on whether the vendor has experienced any security incidents prior to signing a contract, and how will your organization be informed if there is a future event, and is this stated in your contract? Does the organization require multifactor authentication for all vendor software to help prevent hackers from taking advantage of weak passwords?  

Annual updates should be provided to the Board on the risk ratings for each vendor, the mitigation controls in place for high-risk vendors, and the organization’s actions in response to any vendor security incidents. In addition, the Board and management should consider vendor software availability during the annual review and update process when ranking the risks of each vendor. For example, do you have a plan if your vendor is suddenly unavailable? Have you tested a disaster recovery scenario with the vendor, or do you have a manual process to keep your daily tasks on schedule in the meantime while the vendor works to restore its service? 

Q. What role should the Board play in driving security awareness throughout the organization? 

A. The Board should set the tone for security, ensure regular training, and require reporting on the organization’s security posture. Board members must be cyber-literate and engage with security leaders to understand risks and mitigation strategies.

Q. How often should the Board receive updates on security awareness, and in what format? 

A. Best practice is quarterly updates, at a minimum, with additional briefings after major incidents or regulatory changes. Formats can include dashboards, executive summaries, and presentations that highlight key metrics, trends, and action items. Another helpful tool can include Board-specific training to help brush up on cybersecurity knowledge to keep the Board up to date on trends and industry-specific risks.

Q. How do organizations ensure that security awareness is integrated into overall organizational governance, risk management, and business continuity planning? 

A. Security awareness is an imperative part of the organization’s governance framework, which should include embedding awareness into operational policies as well as the risk management program, incident response plan, disaster recovery plan, and business continuity plan. Training should align with risk assessments, with higher attention given to higher-rated risks, and provide multiple reminders throughout the year of the key steps all employees should know about reporting suspicious activity or security events. Annual disaster recovery and business continuity exercises should include multiple departments to help ensure high collaboration during a real-life event. In addition, this context reinforces a security awareness mindset and may help provide a better understanding of the challenges and consequences of failing to prevent an incident.

About Lindsay 

As a member of BerryDunn’s Financial Services Practice Group, Lindsay helps clients identify improvements in information security, operational efficiency, and IT service delivery. She has worked across multiple industries—including banking, healthcare, public gaming, and higher education—to help clients gain control of IT and financial operations. This, coupled with Lindsay’s experience working with complex organizations to meet regulatory and industry standards, provides clients with a unique and valued perspective. Learn more about Lindsay. 

BerryDunn partners with organizations to create work environments where business success and personal growth coexist and where people are confident knowing their workplace positively contributes to their well-being. We take a comprehensive approach to our workforce and well-being work, considering how business needs, organizational capacity, and the employee experience work together to drive your business forward. Learn more about our workforce and well-being team and services.

Read this article if you are a CFO or controller at a nonprofit organization. 

For nonprofit organizations, every resource matters. Selecting the right Enterprise Resource Planning (ERP) system is no longer just a technology decision, it’s a strategic choice that impacts the entire organization. With so much at stake, it’s essential to approach ERP evaluation and implementation with careful planning and expert guidance. Follow these four steps for best practices to help you make informed decisions that support the mission and vision of your organization during the process.  

Step 1: Assess the case for change 

Start by evaluating whether the current ERP environment is serving your organization’s needs. This assessment can help determine if incremental improvements through optimization are enough, or if a more significant change is required. 

Key questions to consider: 

• What pain points or inefficiencies exist with your current system? 

• Are new or upcoming regulatory requirements putting additional strain on your current ERP? 

• How ready is your organization for change? 

• What is the technical literacy of the impacted employees? 

• What infrastructure and resources are required to implement and support a new ERP? 

• Is your current ERP being retired or phased out by the vendor? 

• Are there third-party systems or manual processes that could be streamlined? 

This stage often uncovers gaps not just in technology, but also in processes and organizational alignment. 

Step 2: Define organizational needs and priorities 

Once the case for change is clear, nonprofits should identify their “must-have” features versus “nice-to-haves.” ERP systems offer a wide variety of modules, but the right solution is the one that aligns with your operational and reporting priorities. 

Typical core ERP components nonprofits may consider include: 

• General ledger  

• Accounts payable and receivable 

• Budgeting and forecasting 

• Grants and donor management 

• Cost center allocation and reporting  

• Fixed assets tracking 

The key is to make sure the solution not only meets requirements and manages resources well but also offers insights that help guide mission-driven decision-making. 

Step 3: Evaluate the options strategically 

With your organization’s needs clearly defined, the next step is to evaluate potential ERP solutions through a careful and deliberate process. 

Focus on how well each system matches your nonprofit’s operations and long-term goals rather than being distracted by impressive features. Involve staff from different departments to get a complete picture of how each option supports your priorities. Consider not just immediate benefits, but also how the system will serve your organization in the future.  

A thoughtful and structured evaluation process will help you look beyond first impressions and choose an ERP solution that delivers lasting value and supports your mission and your teams in their daily work. 

Step 4: Prepare for implementation success 

Selecting the right ERP solution is just the first step; true success depends on effective implementation. For nonprofits, this means carefully managing both the technical aspects of the rollout and the impacts on staff who will be adapting to the new system.  

Strong leadership, active staff involvement, and a well-organized approach to change are essential for successful adoption. Preparing your team, aligning departments, and developing a clear plan for change management, training, and communication can make the difference between a smooth implementation and adoption of the solution across your organization. With this foundation, nonprofits can maximize the benefits of their new solution. 

BerryDunn can help 
The right ERP system can help your organization increase efficiencies, reduce risk, and make informed, data-driven decisions. Implementing a new system is a critical decision with significant business impacts. BerryDunn’s team can provide assessment, system evaluation, and implementation services for ERP systems for nonprofits, such as financial and student information systems, and can expertly guide you through the process. Learn more about our services and team.  

Starting January 1, 2025, a new individual tax benefit allows taxpayers to deduct certain interest paid on loans for qualified passenger vehicle purchases. This deduction is available through the end of 2028 and presents both opportunities and compliance responsibilities for lenders. 

Eligibility criteria for the deduction 

To qualify, the vehicle must: 

• Weigh less than 14,000 pounds 

• Have its final assembly point in the United States 

• Be purchased after December 31, 2024 

• Be new with its original use beginning with the taxpayer 

Required reporting by lenders 

Lenders must provide borrowers with specific information to support their deduction claims. The required data includes: 

• Total amount of interest received during the calendar year 

• Origination date of the loan 

• Principal balance at the beginning of the year 

• Confirmation that the vehicle meets the eligibility criteria 

If Vehicle Identification Number (VIN) data is not currently captured or is stored in a separate system, lenders should begin exploring ways to access and integrate this information to ensure accurate reporting. 

Transitional relief for 2025 

On October 21, 2025, the IRS announced transitional relief for lenders for the 2025 tax year. Lenders will not be subject to informational reporting penalties as long as they provide the total amount of interest received on qualified auto loans to customers via online banking platforms, regular account statements, or other reliable methods. 

The IRS has not yet issued a specific form or instructions for this reporting and it is not expected to do so for the 2025 tax year. The IRS has indicated that a standardized form (like Form 1098) is expected for 2026 and beyond. 

Reporting deadline 

The deadline for lenders to provide the required information to customers is January 31, 2026. 

Phase-out of the deduction 

The deduction begins to phase out for taxpayers with modified adjusted gross income (MAGI) above $100,000 for single filers and $200,000 for joint filers. Taxpayers above these thresholds will see a gradual reduction in the allowable deduction amount. The deduction is reduced by $200 for every $1,000 of MAGI above these thresholds and is fully phased out at $149,000 for single filers and $249,000 for joint filers.  

What lenders should do now 

• Determine how required information will be reported to borrowers for 2025. 

• Review systems to ensure VIN and vehicle eligibility data can be accessed. 

• Prepare to track and report interest and loan details on an informational tax form starting in 2026. 

• Communicate with borrowers about the upcoming deduction and reporting timeline. 

This new deduction offers a valuable benefit to consumers and a chance for lenders to support tax compliance while enhancing customer service. 

BerryDunn can help 

Our dedicated audit, tax, and consulting professionals understand the financial services industry and its challenges, and are committed to helping you meet and exceed regulatory requirements. We partner with you to bring tailored approaches to fit your needs and operations and provide guidance on best practices and recommendations that make sense for you. Learn more about our services and team. 

Read this if you are a CFO, director of HR, or a retirement plan sponsor. 

Beginning January 1, 2026, significant changes will affect catch-up contributions to retirement plans for high-earning individuals, sometimes referred to as ‘highly paid participants.’ This group of high-earning individuals will be more inclusive than the current definition of a Highly Compensated Employee. The new rules, enacted as part of recent legislative updates, specifically target plan participants whose prior-year compensation exceeds a set threshold and require that their catch-up contributions to 401(k), 403(b), and governmental 457(b) plans be made on a Roth (after-tax) basis. 

This article provides an overview of these new requirements, focusing on the affected plan participants, and discusses the pros and cons as well as key considerations for employers and affected individuals in advance of the transition deadline on December 31, 2025. Importantly, plan sponsors will need to coordinate compliance with their payroll provider and retirement plan recordkeeper. Plan sponsors will also need to communicate the new rules to the affected plan participants. 

Overview of 2026 Roth catch-up contribution changes 
 

Under current law, individuals age 50 and older can make catch-up contributions to employer-sponsored retirement plans, such as 401(k), 403(b), and eligible governmental 457(b) plans. Historically, these catch-up contributions could be made on either a pre-tax or Roth basis, depending on plan provisions and the participant’s salary deferral election. Starting January 1, 2026, however, plan participants whose prior-year Social Security wages with the employer equal at least $145,000 (indexed annually beginning in 2026) will be required to make all catch-up contributions as Roth contributions. This means these contributions will be made with after-tax dollars and will not be tax-deductible, but qualified withdrawals in retirement generally will be tax-free. 

Significantly, any Roth salary deferral contributions made by a high earner (e.g., a regular deferral contribution or a catch-up contribution) count towards satisfying the Roth catch-up requirement. This means that if a high earner is already making regular Roth deferrals, they would not be required to make Roth catch-up contributions after the normal salary deferral limit (i.e., $23,500 for 2025) is reached as long as the Roth contributions exceed the catch-up limit (i.e., $7,500 for 2025). The plan sponsor may default those contributions that are over the normal salary deferral limit to Roth treatment, but the plan must allow the high earner to choose to make catch-up contributions on a pre-tax basis (assuming they have already made the required amount of Roth contributions). Essentially, this means a plan sponsor can only mandate Roth treatment for contributions up to the dollar amount of that year’s catch-up limit (i.e., $7,500 for 2025). 

New 2026 Roth rules for partners, other self-employed individuals, and owners 
 

The relevant guidance clarifies that a participant who does not have Social Security wages, such as a partner with self-employment income, will not be subject to the Roth catch-up requirement. This group would also include sole proprietors and members of an LLC taxed as a partnership. 

However, the Roth catch-up requirement will apply to owners of a C-Corp or S-Corp who have Social Security wages equal to at least $145,000 (indexed) reported on Form W-2, Box 3. 

Other pertinent Roth 2026 rule changes to consider 

Wage limit is not pro-rated: The relevant guidance states the Social Security wage amount (i.e., $145,000, indexed) is not pro-rated for an employee’s partial year of employment. For example, an employee who is hired on September 1, 2025, at a $200,000 salary will not be subject to the Roth catch-up requirement in the 2026 plan year because the employee’s Social Security wages would only be approximately $66,600 for the 2025 calendar year. 

Employer definition: The relevant employer is the common law employer of the plan participant. The final regulations allow a plan to aggregate the Social Security wages a participant receives from all employers in a controlled group and/or where a common paymaster is used. If a plan sponsor wants to take advantage of this permissible aggregation, however, it must specify in the plan which aggregation method it is using and what groups are being aggregated. 

Deemed elections: A plan may provide that an election by a participant subject to the Roth catch-up contribution requirement to make salary deferral contributions on a pre-tax basis will be treated as a deemed election to make catch-up contributions as designated Roth catch-up contributions. If a plan will apply deemed elections, the plan document must provide for them and must permit participants to change their deemed elections. Alternatively, a plan sponsor could require the affected plan participant to make a separate election for Roth catch-up contributions.  

Super catch-up contributions: Made by participants who attain age 60 to 63 during a calendar year, these contributions are subject to the Roth catch-up contribution requirement. 

Employers will need to track compensation across all relevant categories to ensure compliance and retirement plan administrators will need to update procedures to enforce the Roth catch-up rule for affected participants. 

Pros and cons of the 2026 Roth catch-up requirement 

Pros: 

• Tax-free growth: Roth contributions grow tax-free and qualified withdrawals in retirement are not subject to federal income tax, potentially providing greater after-tax retirement income. 

• No Required Minimum Distributions (RMDs): Roth 401(k) and Roth IRA accounts are not subject to RMDs during the account holder's lifetime, offering more flexibility in retirement planning. 

• Estate planning benefits: Roth accounts can be advantageous for heirs due to tax-free distributions. 

Cons: 

• No immediate tax deduction: Roth contributions are made with after-tax dollars, so high earners lose the immediate tax deduction that pre-tax catch-up contributions previously provided. 

• Higher current tax liability: Switching to Roth catch-up contributions may increase current-year taxable income, possibly moving participants into a higher tax bracket. 

• Complexity for employers: Employers and plan sponsors must implement new administrative procedures to track compensation and enforce Roth-only catch-up contributions for eligible participants. 

Actions for employers and high earners before December 31, 2025 

With the new Roth catch-up requirement taking effect on January 1, 2026, employers and affected high earners should take proactive steps in 2025 to prepare for the transition: 

1. Review plan documents: Employers should ensure that their retirement plan documents support Roth catch-up contributions, updating them if necessary. 

2. Assess payroll and administrative systems: Ensure systems can accurately track compensation and enforce the Roth catch-up requirement for high earners. 

3. Communicate with participants: Provide clear information to employees about the upcoming changes, how compensation is calculated, and the implications for their retirement savings. 

4. Tax planning: The affected plan participants should consult with tax advisors to assess the impact of losing the pre-tax catch-up option and to explore strategies for minimizing overall tax liability. 

5. Maximize pre-tax catch-up contributions in 2025: Eligible individuals may wish to maximize their pre-tax catch-up contributions before the new requirement takes effect. 

6. Evaluate Roth vs. pre-tax savings: Consider the long-term benefits of Roth savings, including tax-free withdrawals and estate planning advantages, versus the short-term impact on taxable income. 

Start planning now for 2026 Roth changes 

The new Roth catch-up contribution requirement for certain plan participants marks a significant shift in retirement plan rules. While the change offers potential long-term tax benefits, it also increases current tax liability and administrative complexity. Employers and affected individuals should use the time before December 31, 2025, to review plan provisions, communicate with participants, and engage in strategic tax planning to ensure a smooth transition and take full advantage of available retirement savings opportunities. 

BerryDunn is one of only a few firms that specializes in all aspects of retirement plan design, optimization, and management. We understand the importance of a sound retirement plan strategy and its impact on business operations. And, we’ll help you stay abreast of new regulations, investment options, and contribution limits and present you with opportunities to realize more value as they arise. Learn more about our services and team.  

Local governments across the United States are facing a historic workforce transition. With nearly 38% of the local government workforce expected to retire within the next five years, the sector is confronting what experts have dubbed the “Silver Tsunami.” This wave of retirements, driven by an aging workforce and accelerated by post-pandemic burnout, is creating a perfect storm of staffing shortages, institutional knowledge loss, and increased pressure on remaining employees. 

The numbers are stark. The median age of local government employees is 45, and nearly half are over 50. In states like Washington, this translates to tens of thousands of experienced workers nearing retirement. These employees often hold deep institutional knowledge—insights into community history, operational processes, and policy nuances—that are difficult to replace. Without structured succession planning, which only 12% of government organizations currently have in place, this knowledge is at risk of vanishing as employees exit the workforce. 

The impact of this demographic shift is already being felt. Public safety, skilled trades, IT, healthcare, and education support roles are among the hardest to fill. Many agencies report a lack of qualified applicants, high turnover rates, and increasing time-to-hire. Over half of government managers say they frequently have to reopen job postings due to insufficient candidate pools. This not only delays service delivery but also increases workloads for remaining staff, contributing to burnout and further attrition. 

Younger generations, particularly Millennials and Gen Z, bring different expectations to the workplace. They prioritize work-life balance, career development, and purpose-driven organizational cultures. To attract and retain this talent, local governments must evolve—offering flexible work models, investing in professional development, and fostering inclusive environments that support employee well-being. 

So, how can local governments respond to this workforce crisis? 

Strategic solutions for a resilient local government workforce 

Invest in training and upskilling: New hires often lack the specialized skills required for public-sector roles. Governments must invest in training programs, certification access, and leadership development to build a future-ready workforce. 

Modernize HR systems: Centralized, integrated HR platforms can provide better visibility into workforce trends. Predictive analytics can help forecast retirements, identify skill gaps, and support data-driven succession planning. 

Embrace flexible work models: Hybrid and remote work options are increasingly expected. Providing collaboration tools and focusing on outcomes rather than micromanagement can help retain younger workers. 

Prioritize employee experience: Burnout is real—77% of employees report that turnover has increased their workload. Wellness programs, engagement surveys, and recognition initiatives can improve morale and retention. 

Work smarter with AI tools: AI can automate repetitive tasks like document processing, permit approvals, and meeting transcription. It can also power chatbots that handle resident inquiries 24/7, freeing up staff for more complex work. In HR, AI tools can assist with resume screening, onboarding, and even personalized learning paths for employee development. 

By integrating AI into daily workflows, local governments can reduce administrative burdens, improve decision-making, and enhance the employee experience. More importantly, it allows human workers to focus on what they do best—serving their communities with empathy, insight, and dedication. 

What's ahead for the local government workforce? 

The workforce revolution in local government is not a distant threat—it’s happening now. Whether this transition becomes a crisis or a catalyst depends on how leaders respond. With strategic planning, a commitment to employee development, and the smart use of technology like AI, local governments can not only weather the storm but also emerge stronger, more agile, and better equipped to serve the public in the years ahead. 

Focused on inspiring organizations to transform and innovate, BerryDunn’s Local Government Practice Group can help you solve your biggest challenges for your organization as a whole and in specific areas. Our team is comprised of broadly specialized consultants and former local government employees that exclusively serve local government clients. Learn more about our services and team.