Skip to content

IT Controls for Not-for-Profit Entities

By Jennifer Coleman, CPA, CFE

As technologies advance and not-for-profits (NFPs) become more sophisticated in using them, information security is becoming a significant business issue. Threats to information security may be internal, such as failure in the design or implementation of IT systems or misuse of data by employees, or external, such as viruses or data breaches.

Don’t fall into the false security trap of thinking just because your organization might be small or housing only limited volumes of data that it is immune to costly information security compromises. According to CSO Online, more than half of all organizations experience a security incident at some point. And it takes the average organization 191 days to identify data breaches.

To protect your organization, consider implementing the following internal controls:

Entity-level Controls

  • Establish a committee to review and monitor IT needs
  • Formalize IT policies and train staff and volunteers
  • Maintain an inventory of all hardware and software utilized
  • Identify and ensure compliance with applicable laws and regulations regarding IT security and privacy
  • Assess the adequacy of insurance policies covering theft, data loss, and business interruption
  • Obtain a service auditor’s report if relying on a third-party service provider

Access and Security Controls

  • Restrict system access to appropriate personnel
  • Require unique username and passwords for each authorized user
  • Establish password requirements regarding complexity, age and number of invalid access attempts allowed
  • Formalize procedures for addition, modification, and termination of user access
  • Review access logs to monitor access to applications with financial consequences to the organization

Network Security Controls

  • Implement firewalls and intrusion detection and prevention systems
  • Assign remote access rights based on business need
  • Use a reputable anti-virus, spyware and spam software, and routinely install updates
  • Physically protect servers housing significant data

Back-up and Recovery Controls

  • Establish and maintain a formalized backup policy and schedule
  • Implement a system for maintaining backup data
  • Perform periodic testing to determine whether backed up data is restorable

Change Management Controls

  • Maintain a list of individuals authorized to approve and implement changes
  • Require approval and track all change requests
  • Implement a process for migration to new systems

Should an incident occur, nonprofits without a plan will waste valuable time trying to organize and determine how to respond. And the costs of dealing with the loss of data can be high.  Proactive organizations with an established IT security response team and a formalized plan can quickly put that plan into action when needed. Such a plan typically details specific action items and individuals to promptly address issues such as loss of data, which can help to minimize costs.

Unfortunately, security breaches and malware are here to stay. While we hope that your organization never has to confront an issue with your information systems, the above checklist will help any conscientious nonprofit prepare and respond.

Jennifer Coleman, CPA, CFE is the assurance and quality control partner of Myers, Brettholtz & Company, PA. She is a member of the American Institute of Certified Public Accountants and the Florida Institute of Certified Public Accountants and is has received Certification in Fraud Examinations.

We want to hear from you!

Please fill out this form and let us know how we can be of service. We will happily offer you a free consultation to determine how we can best serve you.