For nonprofit organizations that want to minimize their risks, implementing solid internal controls can’t be just a one-time exercise. As assets and their associated threats evolve, so must your defense mechanisms.
Today’s risk environment calls for controls that may not have even been on your radar just a decade ago. In particular, rapid advances in technology should drive your leadership team to think differently about how to best safeguard the organization.
New tools
Technological solutions have been available to ease the burden of internal controls on nonprofits for some time now. Cloud-based accounting software generally includes built-in controls, for example. It can also help you track grant spending in real time, rather than doing it manually. This way you can quickly remedy any mix-ups and avoid issues with your grantors.
More recently, advancements in artificial intelligence (AI) are taking technological assistance to a new level — while creating new threats for nonprofits as well. It can’t be denied that AI is enabling both internal and external bad actors to launch more attacks against organizations than ever. For instance, it’s streamlined the development and spread of ransomware and led to the rise of deep fake video or audio recordings that can be used to obtain unlawful access to data, bank accounts and more.
On the other hand, AI also is generating new tools that can help organizations, including nonprofits, more quickly preempt or detect suspicious activity. In particular, AI and automation are making it easier to cost-effectively crunch massive amounts of data to identify anomalies and other red flags that may signal data breaches and fraud.
Earlier warnings give you the opportunity to mitigate the damage, whether the perpetrator is an employee trying to misappropriate assets or a hacker with plans to steal vital financial data. The longer that a scheme continues before detection, the greater the cost to your organization — financially and reputationally.
Internal controls shouldn’t be solely about securing data and finances, though. You also must be concerned with, for example, ensuring grant funds are properly allocated.
Access controls
The term “cyberattack surface” refers to the number of potential entry points that an unauthorized user has to a network or system. Many of your employees may still work remotely, at least some of the time. And even if they don’t, most workers now access at least one of their employers’ networks via multiple devices. So, the surface has expanded for many nonprofits.
The password method of controlling access is no longer sufficient; even multi-factor authentication may prove inadequate. For-profit businesses — and some nonprofits — have been adopting stronger defenses, such as role-based controls. These restrict access to systems or data to only those whose jobs require use of it. For example, only accounting staff (and certain executives) can access all financial data.
Role-based controls come in different levels of access:
Just-in-time. This provides users with access only when they need it, and only for a limited period.
Just-enough. This control applies the principle of “least privilege,” giving users access to just enough information to perform their assigned tasks.
Microsegmentation. This also takes a tight approach, dividing a network into discrete segments, each with its own access requirements.
Zero trust. This model takes a stance of “never trust, always verify.” It approaches access for every user, device and connection on a per-request basis — whether inside or outside the network. Users must undergo repeated authentication before receiving access. For each request, the system considers the user’s identity, location and device, along with the classification of the data sought, before granting access.
Pervasive threats
It may seem challenging to implement even simple internal controls when you have limited resources, including staff. Unfortunately, the pervasiveness of cybersecurity threats has reached the point where nonprofits must continuously improve their protections. Hood & Strong can help you analyze all your technology costs and assist you in implementing and improving internal controls related to accounting and financial management. Reach out to us for guidance and support.
_________________________________________________
Sidebar: Don’t Forget the Oldies but Goodies
It’s vital that nonprofit organizations stay on top of new technological developments related to internal controls. But that doesn’t mean you forget about the “oldies but goodies.”
Perhaps the most important of these is segregation of duties. This means that no single employee should have control over more than one stage of a financial transaction or function. For example, someone who has access to the organization’s credit card shouldn’t also be responsible for reviewing the monthly card statement or paying it. Similarly, an employee who receives checks shouldn’t be responsible for depositing or recording them.
In addition, if possible, rotate financial responsibilities among employees regularly. This can make it easier to identify irregularities. It also makes it more challenging for dishonest staff members to commit fraud — or hide it if they do. Rotating duties has an added benefit, too: You’ll be less vulnerable to the inevitable departure of employees with key responsibilities because others will be able to jump in until a replacement is hired.
