Non-Profit Regulatory Update

CECL: An Important Reminder Regarding FASB ASU 2016-13 and Non-Profits

On June 16, 2016, the Financial Accounting Standards (Board) FASB issued ASU 2016-13, Financial Instruments-Credit Losses which is effective for fiscal years beginning after December 15, 2022. This standard introduces the current expected credit loss methodology (CECL) for estimating credit losses and impacts accounting for trade receivables, loan receivables, and debt securities. This blog addresses the changes you should be aware of for trade accounts receivable due within one year, which impacts most organizations.

Before implementation of CECL, organizations could calculate the allowance for doubtful accounts (allowance) based solely on past experience. CECL requires organizations to include forward- looking, or predictive information in calculating the allowance. Reliance on historical percentages is no longer sufficient.

To efficiently adopt CECL complete the following steps:

  1. Determine which receivables are the result of revenue transactions. Pledges and receivables resulting from contributions are scoped out of the standard and no change should be made to the method used to record allowances related to these transactions because of implementing CECL.
  2. Disaggregate receivables and consider whether there are government payors for which no allowance for doubtful accounts should be recorded based on government policies or practices. This could include instances such as when the government pays for required services for those with intellectual disabilities. Document the government payment policies and retain support showing there is no previous bad debt. This support could include details of bad debt accounts by payor for prior years.
  3. Group the remaining receivables into pools with similar risk characteristics (type of transaction, type of member, aging category, and new customers), determine the historical allowance for each pool, and complete the following:
    -Determine that the historical allowance approximates bad debt by comparing actual write offs to the allowance for prior year(s).
    -For each pool, consider any current information and/ or expectations that may increase or decrease the historical allowance, such as increase in pricing or rates, changes in payment polices, changes in the industry that your organization operates in and similar types of considerations.
    -Estimate any necessary increase in the allowance, and retain your calculation as well as supporting documentation.
    -Calculate the current year allowance based on the historical allowance as well as expected increases.

There are also changes to the financial statements required when CECL is adopted. You will also need to show the allowance for credit losses separately on the Statement of Financial Position (Balance Sheet) and remove the word “bad debts” from financial statements footnotes and replace it with “credit losses”.  In addition, you will need to create a roll forward of the allowance for credit losses including current year write offs and recoveries.

CECL should be adopted using the modified retrospective approach, meaning you will record a cumulative – effect adjustment to the Statement of Financial Position (Balance Sheet) as of the beginning of the first reporting period in which the guidance is effective. There is no requirement to retrospectively adopt for the earliest period presented.

Auditors are required to obtain and test supporting documentation for allowance calculations and will be requesting this information during audits. If tou have any questions regarding CECL please contact a member of your audit team.


Other News

Important Controls For ACH Payments

Lisa A. Ritter, CPA, CFE, CITP
Automated Clearing House (ACH) electronic payments are bank to bank payments made in batches and processed through the ACH network. They are generally used to pay vendors, make employee direct deposits, or receive money from other businesses. All ACH transactions are overseen by the National Automated Clearing House Association (NACHA).

As with all online payment and money transactions, ACH payments are a target of social engineers.  Social engineers manipulate employees into performing actions or divulging confidential information they should not. This is best countered with documented internal controls and training for employees. Employees should be trained at the time of hire and at least annually.  Internal controls for ACH transactions should include:

  • segregation of duties
  • information security
  • a payee verification process and
  • active monitoring

Segregation of duties for ACH payments includes having one person input the payment and having a separate person verify and approve the payment. Segregation between the accounting and approval functions should also be in place.

Restricted access to banking information is an important security measure. Any ACH related forms should not be publicly accessible, and sensitive material shared over emails should be encrypted.  The ability to edit banking information should be limited and have specific protocols in place.   Electronic payment files should be set to read only.  Dollar limits and ACH blocks on selected accounts are also important controls as well as multi-factor authentication.

Staff should always verify any account information given. This could be a video call if the payee or employee would be recognizable or by phone. Contact information should be on file and confirmed if changed. Active monitoring consists of checking the ACH payment remittance receipt, reviewing bank accounts daily, and reviewing payee lists for approved ACH payments.

ACH transactions are generally a safe and inexpensive way to pay vendor invoices and make direct deposits.  NACHA estimates that fewer than 0.03% of ACH transactions are returned as unauthorized. ACH payments were approximately $29 billion in 2021 according to NACHA.  While these transactions are relatively safe, errors can be made, and appropriate care should be taken.

An ACH payment can be reversed under certain circumstances, but NACHA has strict reversal rules.  Reversals must occur within 5 business days of the transaction, and a reversing file should be submitted to your bank within 24 hours of discovering the error.  Furthermore, only certain situations qualify for approval of the reversal.   Reversals can be approved if the payment was for the wrong amount, made to an incorrect payment recipient, or if a duplicate transaction occurred. Partial amount reversals are not permitted. Not all transactions can be reversed.   For example, if a fraudster impersonates an employee and asks for a change in bank routing number that your company inappropriately approves and processes, you may have difficulty recovering the funds.

You should review your bank’s policies regrading ACH transactions and fees. For example, your bank may not waive insufficient funds charges if an ACH to be reversed resulted in a negative balance.

If you have any questions about appropriate controls for ACH transactions, feel free to reach out to us for additional information.

Auditing Standards Board Update

These New Audit Standards May Require Your Attention







Partner Lisa Ritter has published an article in the Pennsylvania CPA Journal on SAS (Statements on Auditing Standards) Nos. 134 through 140. These standards are:

  • SAS No. 134 – Auditor Reporting
  • SAS No. 135 – Omnibus SAS
  • SAS No. 136 – Employee Benefit Plan ERISA Audits
  • SAS No. 137 – Other Information
  • SAS No. 138 – Amendements to the Description of the Concept of Materality
  • SAS No. 139 – Amendments to Incorporate Changes from SAS 134
  • SAS No. 140 – Amendments to Incorporate Changes from SAS 134 and 137

For more information you can review the article here: 

Information Technology

Cybersecurity Training Resources







Research suggests as much as 91% of cyber-attacks are via email directed at employees.  This statistic would suggest that employee training is one of the most effective ways to combat security threats.  Unfortunately, many organizations do not have in-house IT staff or other resources to provide that training.

In some cases, employee training may be available through cyber- security insurance that an organization has already purchased.  For those organizations that find the premiums for cybersecurity insurance are too high, they may find that mandatory security awareness training can reduce premiums along with the use of best practices like multi-factor authentication and data and device encryption.  It might be worthwhile to contact your insurance agent to find out what discounts might be available and to inquire about training.  This is an area that changes quickly so reviewing cybersecurity polices will need to be completed more frequently than traditional types of policies.

Other training options include purchasing solutions from companies such as KnowBe4, NINJIO and Barracuda.  KnowBe4 provides cybersecurity awareness training and simulated phishing attacks. There are also some free tools and resources available on the KnowBe4 website at  NINJIO provides cybersecurity training and encourages employee competition through quizzes and points awarded.  Barracuda provides an array of services including threat prevention as well as incident response solutions and security awareness training.

The Cybersecurity and Infrastructure Security Agency provides free resources including a ransomware guide with instructions on how to prevent a cyberattack at  CISA MS-ISAC Ransomware Guide. The guide links to a one page document entitled, “ Avoiding Social Engineering and Phishing Attacks”  that is written in plain English and could be provided to employees.  Other resources at this site include a guide on “Using Caution with Email Attachments”, and a Guide on “Good Security Habits”.

The Cyber Readiness Institute offers a free program and starter guide to help small and medium-size organizations prepare for attacks.  The site offers a series of flyers on topics such as “Managing the Relationship with Your Outside Cybersecurity Provider”, and videos on security education and Awareness at  Security Education & Awareness: Preventing Ransomware – Cyber Readiness Institute.

The United States Secret Service publishes several items including a one-page guide to business compromised e-mail accounts and guides on preparing for a cyber incident.   Materials include brochures on email compromise that could be provided to employees at the United States Secret Service.

Given the current risk, cyber security training is extremely important at this time.  Any progress you make in this area will benefit your organization.

Firm News

Passionate About Quality: A Quality Control Update

Lisa A. Ritter, CPA, CFE, CITP








Lisa A. Ritter, CPA, CFE, CITP
Quality Control Partner

Maher Duessel is in the middle of the annual test of our system of quality control.  We are passionate about providing quality services, and we expend significant resources ensuring that quality.  The elements of our quality control system include the following:

  • Leadership responsibilities including tone at the top
  • Compliance with relevant ethical requirements
  • Compliance with polices for acceptance and continuation of client relationships
  • Human Resources policies
  • Engagement performance including compliance with auditing and accounting standards
  • Monitoring of each element of quality control

I would like to thank a very talented team for assisting with the annual process this year including the following who assisted with the inspection:

  • Jennifer L., CruverKibi, CPA, Partner
  • Amy C. Lewis, CPA, Partner
  • Robert A. Belicose, Jr., CPA, Principal
  • Janet L. Feick, CPA, Senior Manager
  • Michelle L. Hoke, CPA, Senior Manager
  • Jonathan C. Mentzer, CPA, Senior Manager
  • Peggy Jo Revay, CPA, Senior Manager
  • Dustin D. Starr, CPA, Senior Manager
  • Natalie Caponi, CPA, Manager
  • James Contrella, CPA, Manager
  • Kristen E. Moss, CPA, Manager
  • Sara Reed, CPA, Manager
  • Allison R. Bozman, CPA, Manager
  • Patrick J. Kline, CPA, Senior Auditor

Michelle Buskey has taken the lead on this project.  Her contributions are invaluable. Partners Elizabeth (‘Betsy’) E. Krisher, CPA, CGFM, and Brian T. McCall, CPA, CGFM also provided significant support to the process, along with administrative support from Kim Phillips, and I am grateful for all of their assistance.

In addition to the annual testing we complete, every three years we engage an independent accounting firm to review the quality of our work.   We will undergo that process approximately one year from now. The results of external reviews are always located on our website here.