IT Controls in a Remote-Working World
By Eva Webb, CPA, LSWG Principal
Monday, December 21, 2020 – As information technology systems continue to evolve and change, it is critical that we understand the importance of the internal controls over our IT systems.
There are external threats to our IT systems (including data breaches and viruses). There are also internal threats (including failure in the design or implementation of the system, or misuse of data by employees). Protecting your organization can involve implementing the various controls outlined below:
Entity-Level Controls:
- Create an IT committee
- Create IT policies and procedures and train staff and volunteers on them
- Assess the adequacy of insurance policies to cover theft, data loss and interruption of business operations
- Maintain an IT infrastructure (including hardware and software used–don’t forget about handheld and mobile devices)
- Adopt an incident response plan and team to respond to IT security incidents and evaluate third-party service providers
Access & Security Controls:
- Restrict access to appropriate personnel based on valid business needs
- Require unique ID’s and passwords and limit shared accounts
- Encrypt data and secure encryption keys
- Adopt an Information Security Policy and enforce it
- Formalize your procedures for addition, modification and termination of user access and physically secure all hardware
Network Security Controls:
- Implement firewalls, intrusion detection and prevention systems
- Implement controls over the updating of Operating System “patches”
- Use a reputable anti-virus, anti-spyware and anti-spam software and routinely install updates and perform vulnerability scans
Backup and Recovery Controls:
- Maintain a formalized backup policy and schedule and implement a system for maintaining backup data (i.e., off-site media storage, remote backup services, SANS) and perform periodic testing to ensure restorability of backup data
Dealing with data loss can be very expensive and time-consuming. We encourage you to evaluate your existing information technology systems and implement/document the controls to ensure that you have a good understanding of where your nonprofit may be vulnerable.
Eva Webb, CPA, is an audit principal and manages LSWG’s Rockville office. She has over 20 years of public accounting experience and specializes in audits of closely-held businesses, local governments, and not-for-profit organizations. You can reach Eva at 240.314.7075, or by email at ewebb@LSWG.cpa.