IT management

The construction industry presents some unique accounting and financial reporting requirements when it comes to construction work-in-progress (WIP) schedules. To keep a solid pulse on contract financial status and results, it is important that these schedules are accurate and up to date. Here are five of the more common mistakes we encounter when working with clients:

1. Inaccurate inputs for the WIP schedule

Achieving 100% accuracy can be challenging as the WIP schedule depends on four main inputs. The four inputs include:

• Projected total cost
• Contract value
• Job-to-date cost
• Job-to-date billings

A miscalculation in any of these can cause inaccuracies in your work-in-progress reporting of revenues and contract assets and liabilities.

2. Estimated under/overbilling costs that don’t match contract scope or reflect actual costs

Has the project scope changed without including the corresponding change order? This can result in overstated contract revenues and underbillings. Are total estimated costs greater than they should be? This can result in overstated overbillings and understated contract revenues which, if it happens consistently, can materially skew reported revenues and gross margin.

3. Change orders and billings that are improperly included or excluded

The main determination if a change order should be included in WIP schedule calculations is if it is a continuation of an existing contract and is signed and legally enforceable or at least has a mutually agreed-upon scope and is awaiting price agreement. If so, the projections should be updated to include the change order. This can get complicated, though, so be sure to check with your accountant if there is a question.

4. Not reconciling the WIP schedule to the financial statements

It is important to understand the WIP schedule and how it ties into financial reporting. The general ledger or internal financial statements should be reconciled with supporting external sources as well as internal calculations or spreadsheets, including the WIP schedule. This includes reconciling contract assets, contract liabilities, and related income statement accounts.

5. Not including all contracts on the WIP schedule–including open and closed jobs

The WIP schedule should include all contract amounts, no matter how big or how small, or whether they are open or closed. Open vs. closed jobs should be noted as such on the schedule. It is a best practice to include job numbers for each contract; this way jobs can be tracked month over month, or year over year, and a gain/loss fade analysis can be performed.

BerryDunn’s Construction team partners with clients to provide meaningful insights on best practices in building capacity, stabilizing cash flow in growth, reducing tax liabilities, capturing reimbursable local taxes, and navigating state nexus. Learn more about our team and services. 

The FDIC's Quarterly Banking Profile for Q4 2024 reports positive performance for the 4,046 community banks evaluated. Here are the key highlights: 

Note: Graphs are for all FDIC-insured institutions unless the graph indicates it is only for FDIC-insured community banks. 

Financial Performance 

• Net Income Growth: Full-year net income decreased by $624.4 million (2.4%) year-over-year to $25.9 billion, driven by higher noninterest expense, higher provision expense, and realized losses on the sale of securities of $566 million. Quarterly net income decreased $440.7 million (6.5%) from the prior quarter to $6.4 billion, driven by the same inputs as yearly net income. However, compared to fourth quarter 2023, net income increased $535.3 million, or 9.2%, driven primarily by higher net interest income and noninterest income.
• Net Interest Margin (NIM): Full-year NIM decreased by 6 basis points to 3.33% due to higher asset yields outpacing the cost of funds. However, NIM quarter-over-quarter increased 9 basis points from the previous quarter and 9 basis points over the 2023 quarter four to 3.44%.
• Revenue Growth: Net operating revenue increased $1.9 billion (7.3%) year-over-year, with gains in both net interest and noninterest income. Operating revenue rose by $960.3 million (3.6%) over the previous quarter, following similar drivers of growth. 

Costs and Efficiency 

• Noninterest Expense: Up by $1.1 billion and $931.1 million (5.4%) year-over-year and quarter-over-quarter, respectively, to $18.1 billion. This was largely due to increased salaries and employee benefits expense.
• Efficiency: The efficiency ratio (noninterest expense as a share of net operating revenue) increased to 65.06%, increasing 26 basis points from a quarter earlier, reflecting the increases in noninterest expense.

Loan and Deposit Trends 

• Broad-Based Loan Growth: Total loans and leases grew by $24.4 billion (1.3%) quarter-over-quarter, with a notable increase in commercial real estate (CRE). Total loans and leases increased 5.1% from the prior year, with notable increases in CRE and residential real estate.
• Deposit Increases: Domestic deposits rose by $37 billion (1.6%) in the fourth quarter, with growth in both insured and uninsured deposits.

Asset Quality 

• Stable Metrics: Nonperforming loan levels remained low, despite a slight rise in past-due loans to 1.2%, an increase of 7 basis points from third quarter 2024. Net charge-offs were marginally higher but within manageable levels (0.22%, up 6 and 4 basis points from a quarter and year ago, respectively). This ratio remained 0.07% higher than the pre-pandemic average of 0.15%. The reserve coverage ratio decreased 6.17% from third quarter 2024 and 48.8% from a year earlier to 179.7%.
• Unrealized Securities Losses: Despite an increase of unrealized losses of $11.6 billion (29.6%) from the previous quarter, unrealized losses on securities declined $961.6 million (1.9%) from the prior year.

Capital and Structural Stability 

• Capital Ratios: Decreased slightly across the board, with the average Community Bank Leverage Ratio (CBLR) dropping to 12.22%, down 3 basis points from the previous quarter. Of the 4,046 community banks, 1,629 have elected the CBLR framework. 
• No Bank Failures: For the fourth quarter, there were no community bank failures, reflecting continued sector stability. However, total community banks declined by 36 from the previous quarter, primarily due to M&A activity. 

Conclusion and Outlook 

Another year has closed, and community banks continue to remain resilient. 2024 saw a dip in earnings as banks navigated increases in costs and depressed NIMs. The good news is; the NIM graph above shows the potential trend towards a rebound in 2025. The regulatory landscape continues to be closely watched by the banking community. Substantial changes throughout the federal government continue to create uncertainly. The impact these changes will have on the banking industry remains yet to be known. Many see opportunity in the changes. Community banks are pillars of their communities and trusted advisors to those they serve. In these times of uncertainty, it is critical for banks to leverage and strengthen those relationships with their customers, much as they did during the pandemic. 

Technology will likely continue to remain at the forefront of conversations in 2025 as the banking industry continues to monitor advances in artificial intelligence and how these advances can make an immediate impact on bank operations. There is a lot of hype surrounding technology, especially artificial intelligence, and banks will need to be deliberate in building these tools into their strategic plans and fully vetting out any tools before implementing them as there are often significant costs associated with these tools. However, using a “wait and see” approach is likely not sufficient, as customers will increasingly expect these tools to be part of their experience. 

There may also be anxiety amongst employees, as there are varying headlines and stories regarding the impact technology (again, especially artificial intelligence) will have on the workforce. It will be crucial for leadership teams to monitor this sentiment throughout their organization and provide clear messaging to employees. 

2024 was also year two of the current expected credit loss (CECL) standard for many institutions. As institutions gained comfort surrounding the new CECL standard and saw the impact of changing inputs and assumptions, the importance of a robust governance and oversight framework over the CECL calculation continued to be emphasized. 2025 will likely continue to be a year of refinement as historical trends and peer data continue to be built under CECL. As always, your BerryDunn team is here to help! 

On March 28, 2025, the FDIC issued a Financial Institution Letter (FIL), which rescinds its prior notification requirement for financial institutions engaging in crypto-related activities, as established in FIL-16-2022. Under the new guidance, FDIC-supervised institutions may engage in permissible crypto-related activities without prior FDIC approval, provided they manage associated risks effectively. These risks include market, liquidity, operational, cybersecurity, consumer protection, and anti-money laundering concerns. The FDIC will continue working with other agencies and issue further guidance to clarify banks' involvement in digital asset markets. Read the full content of FIL, FIL-7-2025.

Just a reminder that, for those institutions that are engaged or plan to engage in crypto-related activities, accounting for such activity should follow the Financial Accounting Standards Board’s (FASB) guidance on crypto assets, which can be found in Accounting Standards Codification (ASC) 350-60. Accounting Standards Update (ASU) 2023-08 established the first-ever accounting and disclosure framework for crypto assets within US generally accepted accounting principles. 

Assets that meet six criteria¹ are required to subsequently be measured at fair value with changes recognized in net income each reporting period. Such assets must be presented separately from other intangible assets in the balance sheet, and changes from the remeasurement of crypto assets must be separately presented from changes in the carrying amounts of other intangible assets in the income statement. The ASU also provides for various disclosure requirements, including disclosure of the name, cost basis, fair value, and number of units for each significant crypto asset holding, as well as a roll forward, in the aggregate, of crypto asset holding activity for the reporting period.  

As always, should you have any questions, please don’t hesitate to reach out to your BerryDunn team. 

¹ ASC 350-60-15-1 indicates that such assets must meet all of the following criteria: 

a. Meet the definition of intangible assets as defined in the ASC. 
b. Do not provide the asset holder with enforceable rights to or claims on underlying goods, services, or other assets. 
c. Are created or reside on a distributed ledger based on blockchain or similar technology. 
d. Are secured through cryptography. 
e. Are fungible. 
f. Are not created or issued by the reporting entity or its related parties. 

In late 2024, the Centers for Medicare and Medicaid Services (CMS) launched a sweeping off-cycle mandate requiring all skilled nursing facilities (SNFs) in the United States to revalidate their Medicare provider enrollment record. Facilities of all types–including for-profit and not-for-profit–are affected.

This revalidation, which is required to maintain your Medicare participation, is due by May 1, 2025. For SNFs grappling with this fast-approaching application deadline, here are five things to know about the changes, process, and new information that will keep your billing privileges current.

1. What has changed, and why? 

The CMS mandate introduced new disclosure requirements that are far more extensive than previous reporting requirements. The intent is to promote transparency by collecting more comprehensive data on:

• Skilled nursing facility ownership and control structures.

• Information on designated parties, including organizational and ownership structures, associated with SNFs. Notably, SNFs must identify and report all Additional Disclosable Parties (ADPs).

• A final rule regarding Disclosures of Ownership and Additional Disclosable Parties Information for Skilled Nursing Facilities and Nursing Facilities was published by CMS in 2023. Read the final rule.

As part of this effort, CMS updated the Form CMS-855A application and developed a 20-page SNF-specific attachment that is required for SNF reporting. Additionally, CMS published and subsequently updated new Guidance on the CMS-855A Form with SNF Attachment, which outlines the changes, process, forms, and required information and supporting documents. 

Tip: Given the complexity of the new requirements, SNFs are encouraged to consult with legal counsel to ensure compliance. Working with outside credentialing and enrollment professionals can also be helpful in guiding SNFs through the revalidation process.

2.  Who must be disclosed?

The CMS requires detailed information to be collected on ownership, management, and related parties, including these individuals and entities:

• Every member of the SNF’s governing body

• Every person or entity who is an officer, director, member, partner, trustee, or managing employee

• Every person or entity who is an additional disclosable party (ADP) of the SNF

• The organizational structure of each ADP and a description of the relationship of each ADP to the SNF and one another

Tip:  Start by making a thorough assessment of your organization’s ownership and management structure. Identify all relevant parties, including organizations and individuals, according to the new, broader definitions contained in the CMS guidance.

3. What are the new ADP disclosure requirements?

The newly updated reporting requirements mandate increased disclosures about additional disclosable parties (ADPs). In general, the definition of an ADP applies to any person or entity who:

• Exercises operational, financial, or managerial control over the SNF

• Provides real estate to the SNF

• Delivers management or administrative services, consulting, or accounting/financial services to the facility

SNFs are also required to provide information on the ADPs' organizational structures and to describe the relationships between ADPs and the facility.

Tip: Refer to the guidance provided by CMS to fully understand the new, broader definition of ADPs. Begin by identifying all ADPs associated with your facility and thoroughly document all existing service relationships.

4.  What else might trigger reporting?

The new regulations include expanded definitions of parties with operational, financial, or managerial control that are now subject to a SNF’s reporting requirements. For example:

• Managerial control now includes “managing organizations” or “managing employees” such as a general manager, business manager, administrator, director, or consultant, who directly or indirectly managers, advises, or supervises any element of the practices, finances of operations of the SNF

• Operational control refers to the oversight and responsibility for the SNF’s daily activities and transactions and is not limited to those in supervisory roles. Any degree of responsibility for operations, even informal, may trigger the disclosure requirements

• Financial control can include monitoring or managing the SNF’s finances, authority to approve the expenditure of SNF funds, an owning organization that funds part of the SNF’s operations, or banks that have given the SNF a line of credit

Tip: The new regulations have broadened the scope of these areas of influence with SNFs. As previously mentioned, it’s important to thoroughly review the definitions provided in the CMS guidance to be sure you’re in compliance.

5.  What type of data gets collected and disclosed?

The new regulations require SNFs to disclose detailed information about both organizations and individuals with ownership interests and/or managing control. For organizations, this includes but is not limited to:

• Legal business name (LBN)
• Doing business as name (DBA)
• Whether or not they have less than 5% ownership interest, or are an ADP without ownership or managing control of the SNF
• Tax Identification Number (TIN) – not required if the ADP has less than 5% ownership interest
• National Provider Identifier (NPI) of the organization with ownership interest/managing control
• IRS Proprietary/Non-Profit Status (proprietary, non-profit, disregarded entity)

SNFs must also report data on individuals with ownership interest and/or managing control. Information disclosing their relationship with the facility includes but is not limited to whether they have:

• 5% or greater direct ownership interest
• 5% or greater indirect ownership interest
• 5% or greater mortgage interest
• 5% or greater security interest
• General partnership interest in the SNF
• Limited partnership interest in the SNF
• Managing control, such as corporate officers, corporate directors, and W-2 managing employees

Tip: The new revalidation process requires SNFs to collect and keep track of more detailed information than ever before. A best practice is to develop internal processes for collecting, maintaining, and reporting ownership and control information.

As you prepare your CMS-885A application, remember you have the choice of filing it through the mail, or using the preferred secure online format via the PECOS portal.  

We're here to help

With the May 1, 2025, deadline approaching, it can be helpful to work with an experienced team of credentialing professionals who will help you navigate the complex process of meeting the new revalidation requirements. For example, BerryDunn’s Credentialing and Enrollment Team has developed a valuable, proprietary tool to help client organizations collect, organize, and track ownership, control, and ADP information, and to guide them through the CMS revalidation process. Additional CMS resources are available, including PECOS support, via the External User Services (EUS) Help Desk. The Help Desk can also be reached by phone at 1.866.484.8049 or email at EUS_Support@cms.hms.gov.

Read this if your organization is subject to HIPAA regulations.

For over two decades, the HIPAA Security Rule has remained largely unchanged, aside from extending its scope beyond covered entities to include business associates. During this time, cybersecurity threats in the healthcare sector have grown significantly, and the US Department of Health and Human Services Office for Civil Rights (OCR) has gained extensive enforcement experience.

To address evolving threats and regulatory challenges, OCR has issued proposed modifications to the Security Rule, introducing stricter security controls, mandatory encryption requirements, and a shift away from “addressable” implementation specifications. While these changes aim to improve data security, they also introduce new compliance burdens that could be challenging for many regulated entities.

Key proposed changes to the HIPAA security rule

1. Greater specificity in security requirements

Historically, the HIPAA Security Rule provided flexibility by outlining broad security categories without mandating specific implementation measures. While this adaptability allowed organizations to tailor their security programs, it also created compliance ambiguities and enforcement challenges. The newly proposed rule introduces more detailed and prescriptive requirements, including:

• Asset inventory and network mapping
  • Organizations must maintain a comprehensive inventory of technology assets, including identification, version, accountability, and location.
  • A network map illustrating the movement of ePHI across systems is required.
• Risk analysis and patch management
  • Annual review and update of risk analysis and risk management plans.
  • Mandatory patching of critical risks within 15 days and high risks within 30 days.
• Access control and workforce security
  • Termination of workforce access to ePHI within one hour of employment cessation.
  • 24-hour notification requirement when a workforce member loses access at another regulated entity.
  • New employees must complete security training within 30 days of system access.
• Network security and monitoring
  • Mandatory network segmentation to prevent lateral movement in case of a breach.
  • Real-time system monitoring to detect unauthorized activity and alert workforce members.
• Authentication and identity management
  • Mandatory multifactor authentication for system access and privilege changes.
  • Implementation of strong password policies aligned with industry standards.
• Security testing and incident response
  • Annual penetration testing and biannual vulnerability scanning to identify risks.
  • Establishment of a security incident response plan with annual testing.
• Backup and disaster recovery enhancements
  • ePHI backups must occur at least every 48 hours, with a 72-hour recovery time for critical systems.
  • Monthly testing of data restoration processes.

2. Elimination of “addressable” implementation specifications

Under the current rule, certain security measures are designated as “addressable,” meaning that organizations can implement them based on reasonableness and appropriateness, or document why an alternative measure was chosen. The proposed rule eliminates this flexibility, making previously addressable requirements mandatory.

Encryption of ePHI at rest and in transit will be required in nearly all cases.

Limited exceptions apply only when:

• A technology asset does not support encryption and the organization has a migration plan.
• A patient explicitly requests unencrypted communication and acknowledges the risks.
• Encryption is unavailable in an emergency situation.
• The system is FDA-regulated and certain conditions apply.

This raises concerns about operational feasibility, as the rule does not explicitly allow common unencrypted communications such as text-based appointment reminders or patient notifications.

3. Expanded documentation and compliance verification

The proposal significantly expands compliance documentation, verification, and reporting obligations. Regulated entities would be required to:

• Conduct annual security audits to verify compliance.
• Obtain written security attestations from business associates every 12 months, including:
  • A cybersecurity expert’s written analysis confirming technical safeguards.
  • A certification verifying the accuracy of the analysis.
• Review and test policies and procedures annually, including:
  • Patch management
  • Risk analysis updates
  • Workforce sanctions
  • Media disposal and reuse
  • Contingency plans

4. Stricter enforcement and compliance obligations

OCR is shifting toward greater enforcement accountability, making it clear that merely having a policy in place is no longer sufficient. The proposed rule would require regulated entities to:

• Demonstrate that security measures are actively deployed and operational.
• Ensure that implemented controls are continuously monitored and updated.
• Regularly test compliance through internal audits and external verification.

This change was prompted in part by a court ruling (University of Texas M.D. Anderson Cancer Center v. HHS), which found that OCR’s enforcement authority was limited when entities had encryption mechanisms in place but were not consistently using them. The new rule seeks to close that gap by requiring proof of actual implementation and functionality.

Implementation timeline and potential regulatory outlook for proposed HIPAA Security Rule changes

Public comments were due by March 7, 2025. If finalized, organizations will have 240 days to comply (60 days after the final rule is published, plus an additional 180 days). Business associate agreements must be updated within one year of the final rule’s effective date.

With the recent change in administration, there is uncertainty about whether the rule will be finalized under the new administration. However bipartisan consensus exists on the need for stronger healthcare cybersecurity. The Trump administration previously enforced the HIPAA Security Rule similarly to Democratic administrations. While Trump’s general approach is deregulatory, this proposal may still advance due to the ongoing threat of healthcare data breaches.

Key areas for stakeholder feedback

With the March 7, 2025, deadline approaching, regulated entities should evaluate the potential impact of the proposed changes and consider submitting comments to OCR on:

• Operational feasibility of annual policy reviews, audits, and compliance testing.
• Burden of obtaining written security attestations from all business associates.
• Additional exceptions for encryption mandates, particularly for patient-initiated communications.
• Clarification on shared security responsibilities in cloud computing environments.
• Refinement of the definition of “security incidents” to exclude unsuccessful breach attempts.

Next steps for regulated entities

Given the likelihood of increased enforcement, organizations should begin preparing now by:

• Assessing current security practices against the proposed requirements.
• Identifying gaps in encryption, risk analysis, and workforce training policies.
• Reviewing business associate agreements for necessary updates.
• Preparing for increased audit and verification obligations.
• Engaging in industry advocacy to ensure feasible and practical implementation standards.

By proactively addressing these upcoming changes, regulated entities can position themselves for compliance while minimizing operational disruptions.

BerryDunn’s healthcare consulting team has the expertise your organization needs to ensure compliance with HIPAA. Learn more about our team and services.