IT security

In today's rapidly changing job market, the importance of workforce development cannot be overstated. As public health evolves and new challenges emerge, both new and seasoned professionals need guidance to navigate their careers effectively. The 2021 Public Health Workforce Interests and Needs Survey found that 16–18% of the workforce considers programmatic expertise highly important to their day-to-day work, yet reports low proficiency in this area. Whether guiding fresh graduates or supporting experienced employees, mentoring is a vital step in the workforce lifecycle. It bridges the gaps from academic learning and onboarding through career transitions to professional growth and expertise, helping individuals move from passion to practice and thrive in their respective areas. 

Workforce Lifecycle Model 

At its core, mentoring is a relationship where a more experienced individual—often referred to as the mentor—offers guidance and support to someone with less experience, the mentee. This relationship can be incredibly impactful, offering insights and advice beyond what is taught in classrooms or learned through hands-on experience alone.

Mentoring facilitates knowledge transfer, allowing mentors to share practical experiences and industry-specific knowledge that help mentees avoid common mistakes and navigate their careers with confidence. Mentors also introduce mentees to professional networks, creating valuable connections that can lead to new opportunities and career advancement. 

Principles of mentoring 

A successful mentoring relationship is built upon several guiding principles: 

Mutual respect: A successful mentoring relationship is built on mutual respect between mentor and mentee. 

• Commitment to growth: Both mentor and mentee should be committed to the personal and professional growth of the mentee. 
• Active listening: Mentors must listen attentively to understand the needs, aspirations, and challenges of their mentees. 
• Empathy and patience: Understanding the mentee's unique situation and providing guidance without judgment. 

Effective mentoring practices for the public health workforce

Effective mentoring is more than just sharing advice. The relationship creates a bond that enables the mentor and the mentee to engage freely, setting the stage for continuous feedback and reflection. Mentors help mentees assess their progress, identify improvement areas, and set achievable career goals. Through regular meetings, mentees can refine their skills, enhance performance, build programmatic expertise, and take meaningful steps toward reaching their professional aspirations. Mentors also foster critical soft skills such as communication, leadership, and adaptability—qualities essential for success in today’s dynamic work environment. 

• Relationship building: Developing trust and open communication is foundational for a successful mentoring relationship. 
• Feedback and reflection: A continuous process of constructive feedback helps the mentee assess progress and areas for improvement. 
• Goal setting: Mentors assist mentees in setting clear career goals, providing a roadmap for professional development. 
• Support for soft skills: Mentors help mentees hone crucial soft skills such as communication, leadership, and adaptability. 

Mentorship benefits all employees 

For those early in their careers, the transition into the workforce can feel overwhelming. Mentorship eases this transition by providing real-world perspective and experience. Internships, projects, and entry-level roles offer opportunities for new graduates to gain practical exposure, and mentors guide them on how to make the most of these experiences. Mentors encourage continuous learning, helping mentees understand that education doesn’t stop after formal schooling. Staying current on industry trends and acquiring new skills are imperative for career advancement. 

Mentoring also helps new professionals establish networks and build relationships that can lead to new opportunities. As mentees build their networks, they develop a clearer sense of their career aspirations. A mentor can help define their path, set clear goals, and take effective steps toward achieving them. For example, one early-career mentee emphasized the importance of a mentor being honest and relatable, preferring face-to-face feedback to foster a personal connection. This mentee shared that their BerryDunn mentor was invaluable in identifying relevant training and certifications that contributed to career progression and personal growth. 

Mentoring also holds great value for experienced professionals. For tenured employees, mentoring offers an opportunity to give back and enhance leadership skills. By guiding younger employees, mentors support growth while strengthening their own leadership development. When experienced employees take on the mentee role, they continue to develop skills key to their current position or future goals. In either case, mentorship benefits both individuals and fosters a more engaged and capable workforce. 

Invest in mentorship: We can help 

Investing in mentorship prepares agencies for the big changes happening in public health. It supports transitions from academia to the workforce, encourages continuous learning, eases career changes, and builds confidence in professionals at all levels. Mentors provide valuable insights, foster career growth, and help develop essential skills needed to navigate workplace complexities. For public health agencies looking to strengthen their workforce, structured mentoring programs offer long-term benefits, improve employee satisfaction, and support ongoing professional development. 

At BerryDunn, we practice what we preach by offering a robust mentorship program accessible to all employee levels. As a testament to its success, the program was recently featured in BerryDunn’s “In the Spotlight” podcast, where an employee shared how mentoring played a key role in their career growth. If your agency is looking to establish a formal mentoring program, BerryDunn can assist by identifying the right approach, implementing effective matching and evaluation strategies, and applying best practices to ensure success. Learn more about our services and team.

Read other articles in the public health workforce series:

Securing the future of public health: Confronting the workforce shortage

Supporting mental wellness in the public health workforce

Public health transformation: Addressing workforce challenges

Starting January 1, 2025, a new individual tax benefit allows taxpayers to deduct certain interest paid on loans for qualified passenger vehicle purchases. This deduction is available through the end of 2028 and presents both opportunities and compliance responsibilities for lenders. 

Eligibility criteria for the deduction 

To qualify, the vehicle must: 

• Weigh less than 14,000 pounds 

• Have its final assembly point in the United States 

• Be purchased after December 31, 2024 

• Be new with its original use beginning with the taxpayer 

Required reporting by lenders 

Lenders must provide borrowers with specific information to support their deduction claims. The required data includes: 

• Total amount of interest received during the calendar year 

• Origination date of the loan 

• Principal balance at the beginning of the year 

• Confirmation that the vehicle meets the eligibility criteria 

If Vehicle Identification Number (VIN) data is not currently captured or is stored in a separate system, lenders should begin exploring ways to access and integrate this information to ensure accurate reporting. 

Transitional relief for 2025 

On October 21, 2025, the IRS announced transitional relief for lenders for the 2025 tax year. Lenders will not be subject to informational reporting penalties as long as they provide the total amount of interest received on qualified auto loans to customers via online banking platforms, regular account statements, or other reliable methods. 

The IRS has not yet issued a specific form or instructions for this reporting and it is not expected to do so for the 2025 tax year. The IRS has indicated that a standardized form (like Form 1098) is expected for 2026 and beyond. 

Reporting deadline 

The deadline for lenders to provide the required information to customers is January 31, 2026. 

Phase-out of the deduction 

The deduction begins to phase out for taxpayers with modified adjusted gross income (MAGI) above $100,000 for single filers and $200,000 for joint filers. Taxpayers above these thresholds will see a gradual reduction in the allowable deduction amount. The deduction is reduced by $200 for every $1,000 of MAGI above these thresholds and is fully phased out at $149,000 for single filers and $249,000 for joint filers.  

What lenders should do now 

• Determine how required information will be reported to borrowers for 2025. 

• Review systems to ensure VIN and vehicle eligibility data can be accessed. 

• Prepare to track and report interest and loan details on an informational tax form starting in 2026. 

• Communicate with borrowers about the upcoming deduction and reporting timeline. 

This new deduction offers a valuable benefit to consumers and a chance for lenders to support tax compliance while enhancing customer service. 

BerryDunn can help 

Our dedicated audit, tax, and consulting professionals understand the financial services industry and its challenges, and are committed to helping you meet and exceed regulatory requirements. We partner with you to bring tailored approaches to fit your needs and operations and provide guidance on best practices and recommendations that make sense for you. Learn more about our services and team. 

Read this if you are a CFO, director of HR, or a retirement plan sponsor. 

Beginning January 1, 2026, significant changes will affect catch-up contributions to retirement plans for high-earning individuals, sometimes referred to as ‘highly paid participants.’ This group of high-earning individuals will be more inclusive than the current definition of a Highly Compensated Employee. The new rules, enacted as part of recent legislative updates, specifically target plan participants whose prior-year compensation exceeds a set threshold and require that their catch-up contributions to 401(k), 403(b), and governmental 457(b) plans be made on a Roth (after-tax) basis. 

This article provides an overview of these new requirements, focusing on the affected plan participants, and discusses the pros and cons as well as key considerations for employers and affected individuals in advance of the transition deadline on December 31, 2025. Importantly, plan sponsors will need to coordinate compliance with their payroll provider and retirement plan recordkeeper. Plan sponsors will also need to communicate the new rules to the affected plan participants. 

Overview of 2026 Roth catch-up contribution changes 
 

Under current law, individuals age 50 and older can make catch-up contributions to employer-sponsored retirement plans, such as 401(k), 403(b), and eligible governmental 457(b) plans. Historically, these catch-up contributions could be made on either a pre-tax or Roth basis, depending on plan provisions and the participant’s salary deferral election. Starting January 1, 2026, however, plan participants whose prior-year Social Security wages with the employer equal at least $145,000 (indexed annually beginning in 2026) will be required to make all catch-up contributions as Roth contributions. This means these contributions will be made with after-tax dollars and will not be tax-deductible, but qualified withdrawals in retirement generally will be tax-free. 

Significantly, any Roth salary deferral contributions made by a high earner (e.g., a regular deferral contribution or a catch-up contribution) count towards satisfying the Roth catch-up requirement. This means that if a high earner is already making regular Roth deferrals, they would not be required to make Roth catch-up contributions after the normal salary deferral limit (i.e., $23,500 for 2025) is reached as long as the Roth contributions exceed the catch-up limit (i.e., $7,500 for 2025). The plan sponsor may default those contributions that are over the normal salary deferral limit to Roth treatment, but the plan must allow the high earner to choose to make catch-up contributions on a pre-tax basis (assuming they have already made the required amount of Roth contributions). Essentially, this means a plan sponsor can only mandate Roth treatment for contributions up to the dollar amount of that year’s catch-up limit (i.e., $7,500 for 2025). 

New 2026 Roth rules for partners, other self-employed individuals, and owners 
 

The relevant guidance clarifies that a participant who does not have Social Security wages, such as a partner with self-employment income, will not be subject to the Roth catch-up requirement. This group would also include sole proprietors and members of an LLC taxed as a partnership. 

However, the Roth catch-up requirement will apply to owners of a C-Corp or S-Corp who have Social Security wages equal to at least $145,000 (indexed) reported on Form W-2, Box 3. 

Other pertinent Roth 2026 rule changes to consider 

Wage limit is not pro-rated: The relevant guidance states the Social Security wage amount (i.e., $145,000, indexed) is not pro-rated for an employee’s partial year of employment. For example, an employee who is hired on September 1, 2025, at a $200,000 salary will not be subject to the Roth catch-up requirement in the 2026 plan year because the employee’s Social Security wages would only be approximately $66,600 for the 2025 calendar year. 

Employer definition: The relevant employer is the common law employer of the plan participant. The final regulations allow a plan to aggregate the Social Security wages a participant receives from all employers in a controlled group and/or where a common paymaster is used. If a plan sponsor wants to take advantage of this permissible aggregation, however, it must specify in the plan which aggregation method it is using and what groups are being aggregated. 

Deemed elections: A plan may provide that an election by a participant subject to the Roth catch-up contribution requirement to make salary deferral contributions on a pre-tax basis will be treated as a deemed election to make catch-up contributions as designated Roth catch-up contributions. If a plan will apply deemed elections, the plan document must provide for them and must permit participants to change their deemed elections. Alternatively, a plan sponsor could require the affected plan participant to make a separate election for Roth catch-up contributions.  

Super catch-up contributions: Made by participants who attain age 60 to 63 during a calendar year, these contributions are subject to the Roth catch-up contribution requirement. 

Employers will need to track compensation across all relevant categories to ensure compliance and retirement plan administrators will need to update procedures to enforce the Roth catch-up rule for affected participants. 

Pros and cons of the 2026 Roth catch-up requirement 

Pros: 

• Tax-free growth: Roth contributions grow tax-free and qualified withdrawals in retirement are not subject to federal income tax, potentially providing greater after-tax retirement income. 

• No Required Minimum Distributions (RMDs): Roth 401(k) and Roth IRA accounts are not subject to RMDs during the account holder's lifetime, offering more flexibility in retirement planning. 

• Estate planning benefits: Roth accounts can be advantageous for heirs due to tax-free distributions. 

Cons: 

• No immediate tax deduction: Roth contributions are made with after-tax dollars, so high earners lose the immediate tax deduction that pre-tax catch-up contributions previously provided. 

• Higher current tax liability: Switching to Roth catch-up contributions may increase current-year taxable income, possibly moving participants into a higher tax bracket. 

• Complexity for employers: Employers and plan sponsors must implement new administrative procedures to track compensation and enforce Roth-only catch-up contributions for eligible participants. 

Actions for employers and high earners before December 31, 2025 

With the new Roth catch-up requirement taking effect on January 1, 2026, employers and affected high earners should take proactive steps in 2025 to prepare for the transition: 

1. Review plan documents: Employers should ensure that their retirement plan documents support Roth catch-up contributions, updating them if necessary. 

2. Assess payroll and administrative systems: Ensure systems can accurately track compensation and enforce the Roth catch-up requirement for high earners. 

3. Communicate with participants: Provide clear information to employees about the upcoming changes, how compensation is calculated, and the implications for their retirement savings. 

4. Tax planning: The affected plan participants should consult with tax advisors to assess the impact of losing the pre-tax catch-up option and to explore strategies for minimizing overall tax liability. 

5. Maximize pre-tax catch-up contributions in 2025: Eligible individuals may wish to maximize their pre-tax catch-up contributions before the new requirement takes effect. 

6. Evaluate Roth vs. pre-tax savings: Consider the long-term benefits of Roth savings, including tax-free withdrawals and estate planning advantages, versus the short-term impact on taxable income. 

Start planning now for 2026 Roth changes 

The new Roth catch-up contribution requirement for certain plan participants marks a significant shift in retirement plan rules. While the change offers potential long-term tax benefits, it also increases current tax liability and administrative complexity. Employers and affected individuals should use the time before December 31, 2025, to review plan provisions, communicate with participants, and engage in strategic tax planning to ensure a smooth transition and take full advantage of available retirement savings opportunities. 

BerryDunn is one of only a few firms that specializes in all aspects of retirement plan design, optimization, and management. We understand the importance of a sound retirement plan strategy and its impact on business operations. And, we’ll help you stay abreast of new regulations, investment options, and contribution limits and present you with opportunities to realize more value as they arise. Learn more about our services and team.  

In today's rapidly evolving business landscape, boards of directors are more than just stewards of governance—they are the strategic compass guiding an organization toward enduring success. As the challenges facing companies grow increasingly complex, from disruptive technological trends to shifting societal expectations, the board's role has never been more critical.  

This series is designed to empower board members with the insights and tools necessary to navigate change with confidence. Our experts, each a leader in their respective fields, will share real-world examples, practical frameworks, and actionable advice in a Q&A format, as well as lessons learned from their personal and professional journeys. 

Embedding security awareness and risk into organizational culture 

For the latest installment of our board leadership series, BerryDunn Financial Services Practice Group Senior Manager Lindsay Francis shares key insights on information security awareness and risk, including how to embed it in your organizational culture.  

Q. What is the current risk landscape and how do employee behaviors (e.g., phishing clicks, weak passwords) contribute to organizational exposure? 

A. Risks are part of everyday business and require an organizational culture of awareness and a commitment to staying up to date on changes—whether these are security risks directly affecting you or those that trickle down from your vendors. It’s important for every member of the organization to remain aware that their actions, or inactions, both help to protect and have the potential to undermine the security controls you or your vendors have put in place to protect your environment.  

There are times when security controls can seem cumbersome and appear to slow down processes, but when designed properly—which requires a balance of protection and allowing business-critical objectives to continue in a reasonable manner—those security controls help to keep the day-to-day processes running as smoothly as possible. Security incidents slow down the ability to perform important responsibilities.

Both phishing clicks and weak passwords continue to contribute to a large proportion of security breaches. Although this is not a new concept, security fatigue has added another risk where employees are overwhelmed by the constant threats, the need to scrutinize every email, and the long list of passwords and multifactor authentication techniques required to perform everyday tasks. This can lead to employees looking for loopholes, ignoring important security measures, or failing to identify threats. Organizational culture should help employees embrace the mindset that investing time in prevention is crucial to helping avoid incidents.

Q. How do you differentiate information security awareness from general IT training or technical cybersecurity programs? 

A. Information security awareness focuses on culture. The key is to help employees recognize risks and respond appropriately. IT training is more technical, with the purpose of teaching specific skills and procedures. Cybersecurity programs are broader, covering the technical aspects with security controls, incident response, and compliance, as well as education goals and training schedules to promote ongoing security awareness. 

Q. How does an organization help ensure security awareness is part of a broader, ongoing effort to build a security-conscious culture and not a one-time initiative? 

A. Security awareness needs to be included throughout the lifecycle of employees—from onboarding to regular training, as well as ongoing communications. Continuous learning cycles, including short learning modules and periodic phishing simulations, help reinforce secure behaviors. Leadership must champion security as a core value, and metrics should be used to measure progress. 

Q. What cultural challenges are organizations facing in terms of encouraging secure behaviors and how can they be addressed? 

A. Challenges can include resistance to change, security fatigue, a lack of understanding of the direct consequences to the employee’s day-to-day tasks in the event of a security incident, and insufficient leadership support. Addressing these requires leadership engagement, highlighting why it’s important, continuous training delivered in small exercises, and a focus on positive reinforcement. This last part is key—when employees feel punished for failing a training exercise, their attitudes can become another obstacle to overcome. When remediation training is required, it should be posed as a supportive measure to help create engagement and reeducation. Lastly, measuring and reporting on culture, not just compliance, is crucial to understanding where resistance and fatigue may linger. 

Q. How do organizations stay current with emerging security threats and adjust awareness training to address these new risks (e.g., AI-driven attacks, deepfakes)? 

A. Typically, the teams within IT, Risk, and/or Compliance are keeping up to date with new security trends and threats. It’s essential for organizations to use that knowledge to update awareness programs, communicate those to the organization, and coordinate with any training vendors on how to include new threats like AI-generated phishing and deepfakes into the ongoing training modules. Incident response exercises and real-world case studies can help employees recognize and respond to evolving risks. 

Q. How do software vendors fit into the cybersecurity ecosystem and what should the Board know about vendor risks? 

A. Gaining advantages in technology, operational efficiencies, and expertise does not come without a downside—vendor use comes with its own layer of risks. Although Software-as-a-Service (SaaS) providers are hosted in the cloud, which means they are not within your network, this does not prevent a breach of your vendor from reaching your network. Your security is only as strong as your weakest vendor’s security. Each vendor should be properly vetted from an information security perspective before a contract is signed. Functionality of the software cannot be the only driving factor.

The Board should review the organization's vendor management program and processes to look for gaps in both the initial scoping and onboarding steps, including whether a cross-functional approach is used to perform due diligence, as well as what the ongoing due diligence entails. For example, has research been performed on whether the vendor has experienced any security incidents prior to signing a contract, and how will your organization be informed if there is a future event, and is this stated in your contract? Does the organization require multifactor authentication for all vendor software to help prevent hackers from taking advantage of weak passwords?  

Annual updates should be provided to the Board on the risk ratings for each vendor, the mitigation controls in place for high-risk vendors, and the organization’s actions in response to any vendor security incidents. In addition, the Board and management should consider vendor software availability during the annual review and update process when ranking the risks of each vendor. For example, do you have a plan if your vendor is suddenly unavailable? Have you tested a disaster recovery scenario with the vendor, or do you have a manual process to keep your daily tasks on schedule in the meantime while the vendor works to restore its service? 

Q. What role should the Board play in driving security awareness throughout the organization? 

A. The Board should set the tone for security, ensure regular training, and require reporting on the organization’s security posture. Board members must be cyber-literate and engage with security leaders to understand risks and mitigation strategies.

Q. How often should the Board receive updates on security awareness, and in what format? 

A. Best practice is quarterly updates, at a minimum, with additional briefings after major incidents or regulatory changes. Formats can include dashboards, executive summaries, and presentations that highlight key metrics, trends, and action items. Another helpful tool can include Board-specific training to help brush up on cybersecurity knowledge to keep the Board up to date on trends and industry-specific risks.

Q. How do organizations ensure that security awareness is integrated into overall organizational governance, risk management, and business continuity planning? 

A. Security awareness is an imperative part of the organization’s governance framework, which should include embedding awareness into operational policies as well as the risk management program, incident response plan, disaster recovery plan, and business continuity plan. Training should align with risk assessments, with higher attention given to higher-rated risks, and provide multiple reminders throughout the year of the key steps all employees should know about reporting suspicious activity or security events. Annual disaster recovery and business continuity exercises should include multiple departments to help ensure high collaboration during a real-life event. In addition, this context reinforces a security awareness mindset and may help provide a better understanding of the challenges and consequences of failing to prevent an incident.

About Lindsay 

As a member of BerryDunn’s Financial Services Practice Group, Lindsay helps clients identify improvements in information security, operational efficiency, and IT service delivery. She has worked across multiple industries—including banking, healthcare, public gaming, and higher education—to help clients gain control of IT and financial operations. This, coupled with Lindsay’s experience working with complex organizations to meet regulatory and industry standards, provides clients with a unique and valued perspective. Learn more about Lindsay. 

BerryDunn partners with organizations to create work environments where business success and personal growth coexist and where people are confident knowing their workplace positively contributes to their well-being. We take a comprehensive approach to our workforce and well-being work, considering how business needs, organizational capacity, and the employee experience work together to drive your business forward. Learn more about our financial institutions consulting services.

Read this article if you are a CFO or controller at a nonprofit organization. 

For nonprofit organizations, every resource matters. Selecting the right Enterprise Resource Planning (ERP) system is no longer just a technology decision, it’s a strategic choice that impacts the entire organization. With so much at stake, it’s essential to approach ERP evaluation and implementation with careful planning and expert guidance. Follow these four steps for best practices to help you make informed decisions that support the mission and vision of your organization during the process.  

Step 1: Assess the case for change 

Start by evaluating whether the current ERP environment is serving your organization’s needs. This assessment can help determine if incremental improvements through optimization are enough, or if a more significant change is required. 

Key questions to consider: 

• What pain points or inefficiencies exist with your current system? 

• Are new or upcoming regulatory requirements putting additional strain on your current ERP? 

• How ready is your organization for change? 

• What is the technical literacy of the impacted employees? 

• What infrastructure and resources are required to implement and support a new ERP? 

• Is your current ERP being retired or phased out by the vendor? 

• Are there third-party systems or manual processes that could be streamlined? 

This stage often uncovers gaps not just in technology, but also in processes and organizational alignment. 

Step 2: Define organizational needs and priorities 

Once the case for change is clear, nonprofits should identify their “must-have” features versus “nice-to-haves.” ERP systems offer a wide variety of modules, but the right solution is the one that aligns with your operational and reporting priorities. 

Typical core ERP components nonprofits may consider include: 

• General ledger  

• Accounts payable and receivable 

• Budgeting and forecasting 

• Grants and donor management 

• Cost center allocation and reporting  

• Fixed assets tracking 

The key is to make sure the solution not only meets requirements and manages resources well but also offers insights that help guide mission-driven decision-making. 

Step 3: Evaluate the options strategically 

With your organization’s needs clearly defined, the next step is to evaluate potential ERP solutions through a careful and deliberate process. 

Focus on how well each system matches your nonprofit’s operations and long-term goals rather than being distracted by impressive features. Involve staff from different departments to get a complete picture of how each option supports your priorities. Consider not just immediate benefits, but also how the system will serve your organization in the future.  

A thoughtful and structured evaluation process will help you look beyond first impressions and choose an ERP solution that delivers lasting value and supports your mission and your teams in their daily work. 

Step 4: Prepare for implementation success 

Selecting the right ERP solution is just the first step; true success depends on effective implementation. For nonprofits, this means carefully managing both the technical aspects of the rollout and the impacts on staff who will be adapting to the new system.  

Strong leadership, active staff involvement, and a well-organized approach to change are essential for successful adoption. Preparing your team, aligning departments, and developing a clear plan for change management, training, and communication can make the difference between a smooth implementation and adoption of the solution across your organization. With this foundation, nonprofits can maximize the benefits of their new solution. 

BerryDunn can help 
The right ERP system can help your organization increase efficiencies, reduce risk, and make informed, data-driven decisions. Implementing a new system is a critical decision with significant business impacts. BerryDunn’s team can provide assessment, system evaluation, and implementation services for ERP systems for nonprofits, such as financial and student information systems, and can expertly guide you through the process. Learn more about our services and team.