Is Your Nonprofit Data Safe?

Many nonprofits keep confidential information on their computers, including sensitive data and items that cannot be lost. Membership or donor information, accounting data, and other confidential information should be safeguarded against snooping eyes.

A typical control here is to have a disaster preparedness plan, which includes a recovery strategy for the nonprofit’s functions. But that’s not enough.  Organizations should consider the following issues with software, hardware, and the cloud.

Software

Risks when dealing with software include unauthorized entry, loss of data, and confidentiality issues. Some internal control mechanisms to minimize these risks are:

  • Use anti-virus and firewall programs to prevent malware from infiltrating the system.
  • Do daily backups of all systems and keep the backed up file outside the premises.
  • Require IDs and passwords on all systems.
  • Acquire programs to identify and stop unauthorized entry using the Internet and other means.
  • Require information system’s authorization for program purchases to be sure the program is indeed needed and is compatible with existing software.
  • Once employees leave the organization, they should not have access to the nonprofit’s systems
  • Include security to prevent information systems personnel access to passwords or confidential information.
  • Create policies and procedures about computer usage and safety.

Hardware

The risks with hardware involve theft, maintenance, and obsolescence of the machines. Below are some controls to minimize these risks:

  • Place all equipment, including servers and printers, in a safe location.
  • Label all equipment with numbers and create a list of all equipment using the number and description.
  • Maintain this list, doing physical audits to identify equipment disappearances, losses and damages.
  • Centralize maintenance services and schedule them regularly.
  • IT management should approve purchases, retirement or sales of hardware.
  • Dispositions of old computers must be done carefully since they contain confidential information that may be recovered unless the nonprofit takes certain
  • Dispositions of old computers and peripherals must comply with laws to avoid poisoning the environment and possible fines.

Using the Cloud

Many nonprofits have been using accounting and other programs “in the cloud.” This means that organizations’ management and staff access these computerized programs through the Internet, making the software very convenient since employees can access the system anywhere as long as they have proper online connections, login IDs, and passwords.

-Organizations using old, unreliable equipment may benefit from the cloud since the data is not saved locally. If the server or individual computers stop working, the information is not lost and is still available.

However, there are risks associated with the cloud system. For example, the program may not be available online for long periods. So, before selecting a cloud system, check its reliability through Internet searches and word-of-mouth.

Once the organization decides to go online, management must trust the Internet provider to provide adequate security for the data, which may include donor information. Not surprisingly, data security of cloud systems is a major concern for both for-profit and nonprofit users.

Another issue with the cloud is the data transfer. If a nonprofit employs the cloud and then moves to another system, the existing data will need to be downloaded and transferred to another program. The cloud provider should allow for such transfers and help the organization in this matter, but some charge fees, so inquiries about this matter are beneficial to avoid surprises later.

Interested in CPE credits regarding nonprofits?  Online Practical CPE Courses

You can also check out my books:

Nonprofit Finance: A Practical Guide 2nd Edition— Nominated for a  2016 McAdam Book Award

15 Quick Tips on Becoming a Great Consultant  — Free on Kindle Unlimited

 

Another Nonprofit Exec in Jail

Not to be too paranoid here, but I just read an article about the Simi Valley Community Foundation whose former executive director stole over $45,000. According to the news, she forged a second signature on the checks used to pay her own mortgage.  Sadly, this embezzlement cost the organization its reputation as it had to stop operations, at least for now.  A total disaster.

It’s not clear how exactly the theft was discovered, but board members noted something odd, hired a forensic accountant to review the records, and went to the police with evidence of embezzlement. So, I give credit to the board for finding this out, but this theft had been going on for awhile.

So, what can a board do to prevent or identify financial fraud faster?

1- Knowledge –Get people on the board who understand financial matters and can ask the right questions. The board cannot have the obligation to fundraise and provide oversight only. Board members should have different backgrounds with least one person having the education and experience to really understand the information provided and ask good questions. Had this person been on the board of this Simi Valley nonprofit, the fraud may have been identified earlier.

2- Online Access –Have someone from the board check on the bank accounts of the organization online. He or she should review checks and deposits, looking for checks that don’t look right. Just having a policy about this review may deter fraud. Employees may think twice before forging signatures or doing something odd when they know that someone would be looking at the bank transactions regularly.

3- Pay attention –Listen to complaints from staff, donor, and vendors. Oftentimes, information that could be construed as gossip can be useful in pointing you in the right direction. People talk. Even though it’s not clear how the board of the nonprofit became aware of something wrong, my bet is that someone saw something and talked about it. Some nonprofits have started using hotlines for people to report possible fraud anonymously, a very good idea.

4- Variances –Pay attention to the actual vs. budget reports. Looking at this fraud, one may wonder how the $45,000 theft was classified and shown on the financial reports. The amount didn’t show up all at once, but it was likely classified as a budget item. So, if an overage is noted, the board should ask for back up documentations, such as bills.Talk only doesn’t explain financial issues.

5- System reports –Review new vendor/change vendor reports once a month to question any odd new vendor or changes. In this situation, the bank where the mortgage was paid to would have been added at a certain point to the accounting system. Had this report been reviewed, it may have flagged the bank as an odd vendor. Some accounting systems can send an email whenever a new vendor is added or changed, making this task automatic.

6- Bank reconciliations — Check on bank reconciliations, making sure they are done monthly. Keep an eye on deposits that are recognized in the accounting records, but don’t seem to be in the bank.  Also, look at the detailed outstanding checklist. This can be done online using the accounting system and can be emailed to someone at the board. If a check shows up at the bank, but not on the accounting records of the organization, it could be a red flag.

7- Self-reliance –Don’t count on auditors to notice embezzlement. Audits are designed to assure reasonableness of financial statements and they may identify fraud, but not always, especially when done by management. When something seems wrong, not it, and don’t wait for the auditors to figure it out. Insiders are the first people to note things that don’t seem right.

8- Education — Educate all employees on fraud and embezzlement. Nonprofits should have this topic on its policies and procedures documentation and not be embarrassed about it. Fraud happens not just with stealing funds, but in other areas as well, such as equipment theft and overtime pay without authorization. Just showing this awareness and clarity over fraud may prevent it in the first place.

It’s a shame that nonprofit boards must be always on alert for fraud and embezzlement, but that’s the reality of the situation.  Once a scandal happens, it’s hard for the organization to regain the trust and respect of donors, making it hard to move forward.

So, it’s time to talk about this issue openly and set up written policies and procedures with tasks specifically designed to prevent and identify fraud and theft.  The ideas presented here won’t assure boards that they are safe from this issue, but are steps in the right direction.  Each organization is different and I’m sure many will need more control features than the ones presented here.  The crucial point here is that fraud signs cannot be ignored by the board.

Interested on CPE credits regarding nonprofits?  Online Practical CPE Courses

You can also check out my books:

Nonprofit Finance: A Practical Guide — Second Edition 

Nonprofit Finance: A Practical Guide — Nominated for a  2016 McAdam Book Award

15 Quick Tips on Becoming a Great Consultant  — Free on Kindle Unlimited