When it comes to running a business, having outstanding invoices that turn into uncollectible receivables or simply bad debt is a fact of life. The Internal Revenue Service (IRS) has a safe harbor that permits businesses to reduce consideration of such bad debt from taxation if it qualifies. However, understanding how to determine if a business is eligible is essential to making the most of it when a business files its taxes.
Defining the Nonaccrual Experience Method (NAE)
When businesses perform a service, they expect to be paid. However, they sometimes have unpaid invoices that are uncollectible. One provision within the IRS’s Internal Revenue Code (IRC) is that of the nonaccrual experience method (NAE) and how it intersects with bad debts.
How It Works
Once a company sees bad debt in its system after customers fail to pay their invoices, it calculates the amounts it projects it won’t be able to collect. Projecting bad debt is accomplished by the company looking at previous experiences with its payees. It’s important to note that this accounting is used by businesses for only a portion of their projected uncollectable customer bad debt; businesses similarly project the remaining percentage they expect to collect from outstanding invoices in the future.
One important step for businesses to determine their eligibility for relief from the accrual segment of uncollectible revenue, per the U.S. Securities & Exchange Commission (SEC), is by determining their industry classification. Sample industries include legal professionals, engineers, performance art professionals, architects, and actuaries.
It’s important to note that if businesses don’t use this method, they may charge off such debts. Charge-offs are when a company writes the debt off its balance sheet and expenses the uncollectible funds on the income statement. Companies must also adhere to the following criteria to take advantage of the safe harbor:
The company must currently use the accrual method of accounting when recording revenues, and not the cash method to account for revenue.
The company, in a single year, within the past 36 months, has earned up to, but no more than $5 million in gross receipts.
IRS Guidance
Beginning in September 2011, the Internal Revenue Service permitted taxpayers to use the NAE method to determine applicability by applying a factor of 95 percent to their allowance for bad debts via their past 60 months of financial documents. This permits businesses to exclude qualifying uncollectible revenues from their taxable income, which is beneficial for lowering the amount of taxes owed. It is often easier for NAE-specific designated industries to qualify; however, only companies with the appropriate amount of historical information to substantiate are eligible.
Further Considerations and Conclusion
One example of this safe harbor includes having financial information that’s expertly tracked for the past 60 months via financial statements. If the company can’t substantiate it, they won’t be able to qualify. Similarly, eligible services provided or the resulting receivables that have interest and/or financial penalties attached are ineligible.
When it comes to navigating the IRS code, the NAE can provide another way for eligible companies to maximize filings and tax obligations.
Alan F Burke CPA
A Look at the Nonaccrual Experience Method
October 1, 2025 · Accounting News, Blog
⏱ 3 min read
When it comes to running a business, having outstanding invoices that turn into uncollectible receivables or simply bad debt is a fact of life. The Internal Revenue Service (IRS) has a safe harbor that permits businesses to reduce consideration of such bad debt from taxation if it qualifies. However, understanding how to determine if a business is eligible is essential to making the most of it when a business files its taxes.
Defining the Nonaccrual Experience Method (NAE)
When businesses perform a service, they expect to be paid. However, they sometimes have unpaid invoices that are uncollectible. One provision within the IRS’s Internal Revenue Code (IRC) is that of the nonaccrual experience method (NAE) and how it intersects with bad debts.
How It Works
Once a company sees bad debt in its system after customers fail to pay their invoices, it calculates the amounts it projects it won’t be able to collect. Projecting bad debt is accomplished by the company looking at previous experiences with its payees. It’s important to note that this accounting is used by businesses for only a portion of their projected uncollectable customer bad debt; businesses similarly project the remaining percentage they expect to collect from outstanding invoices in the future.
One important step for businesses to determine their eligibility for relief from the accrual segment of uncollectible revenue, per the U.S. Securities & Exchange Commission (SEC), is by determining their industry classification. Sample industries include legal professionals, engineers, performance art professionals, architects, and actuaries.
It’s important to note that if businesses don’t use this method, they may charge off such debts. Charge-offs are when a company writes the debt off its balance sheet and expenses the uncollectible funds on the income statement. Companies must also adhere to the following criteria to take advantage of the safe harbor:
The company must currently use the accrual method of accounting when recording revenues, and not the cash method to account for revenue.
The company, in a single year, within the past 36 months, has earned up to, but no more than $5 million in gross receipts.
IRS Guidance
Beginning in September 2011, the Internal Revenue Service permitted taxpayers to use the NAE method to determine applicability by applying a factor of 95 percent to their allowance for bad debts via their past 60 months of financial documents. This permits businesses to exclude qualifying uncollectible revenues from their taxable income, which is beneficial for lowering the amount of taxes owed. It is often easier for NAE-specific designated industries to qualify; however, only companies with the appropriate amount of historical information to substantiate are eligible.
Further Considerations and Conclusion
One example of this safe harbor includes having financial information that’s expertly tracked for the past 60 months via financial statements. If the company can’t substantiate it, they won’t be able to qualify. Similarly, eligible services provided or the resulting receivables that have interest and/or financial penalties attached are ineligible.
When it comes to navigating the IRS code, the NAE can provide another way for eligible companies to maximize filings and tax obligations.
Disclaimer
These articles are intended to provide general resources for the tax and accounting needs of small businesses and individuals. Service2Client LLC is the author, but is not engaged in rendering specific legal, accounting, financial or professional advice. Service2Client LLC makes no representation that the recommendations of Service2Client LLC will achieve any result. The NSAD has not reviewed any of the Service2Client LLC content. Readers are encouraged to contact a professional regarding the topics in these articles. The images linked to these articles are protected by copyright and should not be copied for any reason.
As organizations invest heavily in next-gen firewalls, AI detection, and threat intelligence, grave cyberattacks have been reported as a result of overlooked misconfigurations. According to the latest statistics, about 23 percent of cloud security incidents are directly connected to misconfigurations. These missteps create easy entry points for cybercriminals that may lead to data breaches, ransomware demands, and financial loss.
What are Misconfigurations?
Misconfigurations are overlooked errors in system setups that create vulnerabilities without the need for hackers to apply advanced hacking techniques. These silent threats are human-driven oversights when configuring software, hardware, or cloud services. Good examples include improperly set permissions in cloud storage, insecure API keys left in code repositories, inadequate security monitoring, and unsecured access points like IoT devices with default passwords.
These issues arise from human error, which accounts for 82 percent of misconfigurations. This is also compounded by today’s cloud era, where businesses depend on cloud platforms, software as a service stacks (SaaS), and AI-driven infrastructure. Many organizations now use multiple providers, and this makes configurations challenging. Rushed deployment also adds to the misconfiguration problem, especially when a thorough audit is not conducted. Unlike malware or phishing scams, misconfigurations remain undetected until exploited.
2025’s Worst Cyberattacks Fueled by Misconfigurations
This year alone, there has been a surge in incidents related to misconfiguration, which is alarming. There were more than 9.5 million cyberattacks in the first half of the year. A good example is the Coinbase breach of May 2025, in which data from more than 70,000 customer records was stolen. This breach is attributed to insider threats exploiting misconfigured permissions.
Recently, cybersecurity researchers revealed a botnet campaign that exploited misconfigured DNS sender policy framework (SPF) records across 20,000 domains and compromised more than 13,000 MikroTik routers. This enabled large-scale spam and spoofing attacks.
In many regions, misconfigured VPN gateways and remote access tools have also contributed to ransomware campaigns. This is through attackers bypassing perimeter defenses by exploiting a misconfigured VPN portal.
IoT weaknesses have also seen entire networks of smart devices compromised, simply because administrators did not change the default login credentials. The entry points ranged from security cameras to industrial sensors, allowing attackers to access more sensitive corporate systems.
Why Organizations Keep Making the Same Mistakes
Talent shortage – Many IT teams are stretched and lack sufficient experts to catch every misstep.
False confidence in automation – While automated tools are a great help, they are not foolproof. Overreliance on these tools and having a set-and-forget mindset can leave room for security breaches.
Velocity over security – This happens when rapid delivery of product features overshadows the slower discipline of security reviews.
Siloed responsibility – In many organizations, security is delegated to a separate team instead of being embedded across different units like the development, operations, and business units.
Awareness gap – Many teams underestimate how a single overlooked setting, like an open test environment, can escalate into a full-scale breach.
Prevention Strategies and Best Practices
Fortunately, misconfigurations are one of the preventable causes of security breaches. Preventing misconfigurations requires proactive measures that include:
Continuous auditing and testing – It is crucial to ensure regular audits and testing of automated tools for configuration management to detect and reduce the window of exposure.
Adopt zero-trust models – No device or user should be trusted by default; grant only minimum access where required.
Strengthen access controls – Always change default device credentials, partition networks, and enforce MFA across all accounts.
Automated detection tools – Use cloud security posture management, compliance-as-code, and drift detection to catch misconfigurations in real time.
Cross-functional training and culture – Employee training is vital, as human error accounts for 82 percent of incidents. Security literacy should extend to both technical and non-technical teams.
Follow industry guidelines – Align with recognized security frameworks (NIST, ISO, CIS) and CISA’s published guidance on the Top Ten Cybersecurity Misconfigurations. For example, avoid using default configurations, enforce patch management, and properly segment networks.
Incident response readiness – Have a well-drilled response playbook to ensure minor disruption in case the defenses fail.
Conclusion
Simple misconfiguration remains a silent enabler of devastating cyberattacks through avoidable errors. Business owners must prioritize configuration hygiene to build resilient digital infrastructures and protect against future threats.
It is a clear lesson that cybersecurity doesn’t always depend on battling sophisticated hackers but rather ensuring they don’t get an easy way in.
Alan F Burke CPA
The Silent Threat: How Simple Misconfigurations Are Fueling 2025 Worst Cyberattacks
October 1, 2025 · Blog, What's New in Technology
⏱ 4 min read
As organizations invest heavily in next-gen firewalls, AI detection, and threat intelligence, grave cyberattacks have been reported as a result of overlooked misconfigurations. According to the latest statistics, about 23 percent of cloud security incidents are directly connected to misconfigurations. These missteps create easy entry points for cybercriminals that may lead to data breaches, ransomware demands, and financial loss.
What are Misconfigurations?
Misconfigurations are overlooked errors in system setups that create vulnerabilities without the need for hackers to apply advanced hacking techniques. These silent threats are human-driven oversights when configuring software, hardware, or cloud services. Good examples include improperly set permissions in cloud storage, insecure API keys left in code repositories, inadequate security monitoring, and unsecured access points like IoT devices with default passwords.
These issues arise from human error, which accounts for 82 percent of misconfigurations. This is also compounded by today’s cloud era, where businesses depend on cloud platforms, software as a service stacks (SaaS), and AI-driven infrastructure. Many organizations now use multiple providers, and this makes configurations challenging. Rushed deployment also adds to the misconfiguration problem, especially when a thorough audit is not conducted. Unlike malware or phishing scams, misconfigurations remain undetected until exploited.
2025’s Worst Cyberattacks Fueled by Misconfigurations
This year alone, there has been a surge in incidents related to misconfiguration, which is alarming. There were more than 9.5 million cyberattacks in the first half of the year. A good example is the Coinbase breach of May 2025, in which data from more than 70,000 customer records was stolen. This breach is attributed to insider threats exploiting misconfigured permissions.
Recently, cybersecurity researchers revealed a botnet campaign that exploited misconfigured DNS sender policy framework (SPF) records across 20,000 domains and compromised more than 13,000 MikroTik routers. This enabled large-scale spam and spoofing attacks.
In many regions, misconfigured VPN gateways and remote access tools have also contributed to ransomware campaigns. This is through attackers bypassing perimeter defenses by exploiting a misconfigured VPN portal.
IoT weaknesses have also seen entire networks of smart devices compromised, simply because administrators did not change the default login credentials. The entry points ranged from security cameras to industrial sensors, allowing attackers to access more sensitive corporate systems.
Why Organizations Keep Making the Same Mistakes
Talent shortage – Many IT teams are stretched and lack sufficient experts to catch every misstep.
False confidence in automation – While automated tools are a great help, they are not foolproof. Overreliance on these tools and having a set-and-forget mindset can leave room for security breaches.
Velocity over security – This happens when rapid delivery of product features overshadows the slower discipline of security reviews.
Siloed responsibility – In many organizations, security is delegated to a separate team instead of being embedded across different units like the development, operations, and business units.
Awareness gap – Many teams underestimate how a single overlooked setting, like an open test environment, can escalate into a full-scale breach.
Prevention Strategies and Best Practices
Fortunately, misconfigurations are one of the preventable causes of security breaches. Preventing misconfigurations requires proactive measures that include:
Continuous auditing and testing – It is crucial to ensure regular audits and testing of automated tools for configuration management to detect and reduce the window of exposure.
Adopt zero-trust models – No device or user should be trusted by default; grant only minimum access where required.
Strengthen access controls – Always change default device credentials, partition networks, and enforce MFA across all accounts.
Automated detection tools – Use cloud security posture management, compliance-as-code, and drift detection to catch misconfigurations in real time.
Cross-functional training and culture – Employee training is vital, as human error accounts for 82 percent of incidents. Security literacy should extend to both technical and non-technical teams.
Follow industry guidelines – Align with recognized security frameworks (NIST, ISO, CIS) and CISA’s published guidance on the Top Ten Cybersecurity Misconfigurations. For example, avoid using default configurations, enforce patch management, and properly segment networks.
Incident response readiness – Have a well-drilled response playbook to ensure minor disruption in case the defenses fail.
Conclusion
Simple misconfiguration remains a silent enabler of devastating cyberattacks through avoidable errors. Business owners must prioritize configuration hygiene to build resilient digital infrastructures and protect against future threats.
It is a clear lesson that cybersecurity doesn’t always depend on battling sophisticated hackers but rather ensuring they don’t get an easy way in.
Disclaimer
These articles are intended to provide general resources for the tax and accounting needs of small businesses and individuals. Service2Client LLC is the author, but is not engaged in rendering specific legal, accounting, financial or professional advice. Service2Client LLC makes no representation that the recommendations of Service2Client LLC will achieve any result. The NSAD has not reviewed any of the Service2Client LLC content. Readers are encouraged to contact a professional regarding the topics in these articles. The images linked to these articles are protected by copyright and should not be copied for any reason.
Required minimum distributions (RMDs) from traditional IRAs and 401(k)s often become a significant tax burden during retirement. As the percentage of your IRA that must be distributed increases each year, many retirees face higher adjusted gross income and increased exposure to stealth taxes. However, with strategic planning, you can transform RMDs from burdens into opportunities.
Timing Your First RMD
The RMD starting age has changed recently: age 72 for those born before 1951, age 73 for those born 1951-1959, and age 75 for those born in 1960 or later. Your first RMD must be taken by April 1 of the year following when you reach the required age.
While you can delay your first RMD until early the following year, most taxpayers should take it in the year they reach the required age. Delaying means you’ll take two RMDs in one calendar year – your delayed first RMD plus that year’s current RMD – potentially pushing you into higher tax brackets and increasing stealth taxes.
Managing Multiple IRAs
If you own several traditional IRAs, you have valuable flexibility under the aggregation rules. First, calculate the RMD for each IRA separately. Then, you can either take distributions from each IRA individually or combine all RMDs and withdraw the total amount from your IRAs in any ratio you choose, even taking the entire amount from just one account.
This flexibility allows you to rebalance your portfolio, draw down smaller accounts, or meet other financial goals. Just ensure that by December 31, your total distributions equal or exceed the aggregate RMD. Note that inherited IRAs and employer plans like 401(k)s cannot be aggregated and must have their RMDs calculated and taken separately.
Charitable Giving Strategy
One of the most tax-efficient strategies is using qualified charitable distributions (QCDs). If you’re over 70½ and make charitable gifts, taking your RMD as a QCD can reduce your taxable income while satisfying the distribution requirement. This strategy often provides better tax benefits than taking a distribution and then making a separate charitable deduction.
Account Structure Optimization
The tax law allows you to consolidate or split IRAs without tax consequences using direct trustee-to-trustee transfers. Some people prefer multiple IRAs for beneficiary planning, different investment strategies or to keep 401(k) rollover money separate. Others find multiple accounts harder to manage and worry about unequal performance affecting beneficiaries differently.
Consider your specific situation: if you have a qualified longevity annuity contract (QLAC) that delays RMDs until age 85, managing it in a separate IRA might be easier.
In-Kind Distributions
You don’t need to sell assets to generate cash for RMDs. Instead, you can make in-kind distributions by transferring securities directly from your IRA to a taxable account. This preserves your asset allocation and can be particularly advantageous when assets have temporarily declined in value.
With in-kind distributions, the asset’s value on the distribution date becomes your new tax basis. If you believe a depressed asset will recover, distributing it allows the ordinary income tax on the current low value while future appreciation becomes tax-advantaged long-term capital gains. This strategy is also helpful for unconventional assets like real estate or small business interests that are difficult to sell in portions.
Distribution Timing and Amount
You can take RMDs anytime during the year. Some prefer monthly distributions for regular cash flow, others take distributions early to ensure compliance, and some wait until year-end to maximize tax deferral and delay estimated tax payments.
Remember that RMDs are minimums – you can always take more. Consider larger distributions in years when your tax rate is unusually low due to higher deductions or lower income. This reduces future RMDs when your tax rate might be higher.
Conclusion
Strategic RMD planning can significantly reduce their tax impact. By understanding timing options, leveraging aggregation rules, using charitable strategies, optimizing account structures, considering in-kind distributions and timing distributions strategically, you can turn required distributions into opportunities for smart tax and retirement planning.
Alan F Burke CPA
How to Reduce the Burden of IRA Required Minimum Distributions
September 1, 2025 · Blog, Tax and Financial News
⏱ 4 min read
Required minimum distributions (RMDs) from traditional IRAs and 401(k)s often become a significant tax burden during retirement. As the percentage of your IRA that must be distributed increases each year, many retirees face higher adjusted gross income and increased exposure to stealth taxes. However, with strategic planning, you can transform RMDs from burdens into opportunities.
Timing Your First RMD
The RMD starting age has changed recently: age 72 for those born before 1951, age 73 for those born 1951-1959, and age 75 for those born in 1960 or later. Your first RMD must be taken by April 1 of the year following when you reach the required age.
While you can delay your first RMD until early the following year, most taxpayers should take it in the year they reach the required age. Delaying means you’ll take two RMDs in one calendar year – your delayed first RMD plus that year’s current RMD – potentially pushing you into higher tax brackets and increasing stealth taxes.
Managing Multiple IRAs
If you own several traditional IRAs, you have valuable flexibility under the aggregation rules. First, calculate the RMD for each IRA separately. Then, you can either take distributions from each IRA individually or combine all RMDs and withdraw the total amount from your IRAs in any ratio you choose, even taking the entire amount from just one account.
This flexibility allows you to rebalance your portfolio, draw down smaller accounts, or meet other financial goals. Just ensure that by December 31, your total distributions equal or exceed the aggregate RMD. Note that inherited IRAs and employer plans like 401(k)s cannot be aggregated and must have their RMDs calculated and taken separately.
Charitable Giving Strategy
One of the most tax-efficient strategies is using qualified charitable distributions (QCDs). If you’re over 70½ and make charitable gifts, taking your RMD as a QCD can reduce your taxable income while satisfying the distribution requirement. This strategy often provides better tax benefits than taking a distribution and then making a separate charitable deduction.
Account Structure Optimization
The tax law allows you to consolidate or split IRAs without tax consequences using direct trustee-to-trustee transfers. Some people prefer multiple IRAs for beneficiary planning, different investment strategies or to keep 401(k) rollover money separate. Others find multiple accounts harder to manage and worry about unequal performance affecting beneficiaries differently.
Consider your specific situation: if you have a qualified longevity annuity contract (QLAC) that delays RMDs until age 85, managing it in a separate IRA might be easier.
In-Kind Distributions
You don’t need to sell assets to generate cash for RMDs. Instead, you can make in-kind distributions by transferring securities directly from your IRA to a taxable account. This preserves your asset allocation and can be particularly advantageous when assets have temporarily declined in value.
With in-kind distributions, the asset’s value on the distribution date becomes your new tax basis. If you believe a depressed asset will recover, distributing it allows the ordinary income tax on the current low value while future appreciation becomes tax-advantaged long-term capital gains. This strategy is also helpful for unconventional assets like real estate or small business interests that are difficult to sell in portions.
Distribution Timing and Amount
You can take RMDs anytime during the year. Some prefer monthly distributions for regular cash flow, others take distributions early to ensure compliance, and some wait until year-end to maximize tax deferral and delay estimated tax payments.
Remember that RMDs are minimums – you can always take more. Consider larger distributions in years when your tax rate is unusually low due to higher deductions or lower income. This reduces future RMDs when your tax rate might be higher.
Conclusion
Strategic RMD planning can significantly reduce their tax impact. By understanding timing options, leveraging aggregation rules, using charitable strategies, optimizing account structures, considering in-kind distributions and timing distributions strategically, you can turn required distributions into opportunities for smart tax and retirement planning.
Disclaimer
These articles are intended to provide general resources for the tax and accounting needs of small businesses and individuals. Service2Client LLC is the author, but is not engaged in rendering specific legal, accounting, financial or professional advice. Service2Client LLC makes no representation that the recommendations of Service2Client LLC will achieve any result. The NSAD has not reviewed any of the Service2Client LLC content. Readers are encouraged to contact a professional regarding the topics in these articles. The images linked to these articles are protected by copyright and should not be copied for any reason.
When it comes to running a business, having outstanding invoices that turn into uncollectible receivables or simply bad debt is a fact of life. The Internal Revenue Service (IRS) has a safe harbor that permits businesses to reduce consideration of such bad debt from taxation if it qualifies. However, understanding how to determine if a business is eligible is essential to making the most of it when a business files its taxes.
As organizations invest heavily in next-gen firewalls, AI detection, and threat intelligence, grave cyberattacks have been reported as a result of overlooked misconfigurations. According to the latest statistics, about 
Required minimum distributions (RMDs) from traditional IRAs and 401(k)s often become a significant tax burden during retirement. As the percentage of your IRA that must be distributed increases each year, many retirees face higher adjusted gross income and increased exposure to stealth taxes. However, with strategic planning, you can transform RMDs from burdens into opportunities.