Keeping an organization’s financial information secure and reliable is a primary concern for most nonprofit CFOs, finance directors, and financial managers. It isn’t uncommon to see these passionate individuals put a rigorous set of policies in place to provide strong internal control and oversight of financial functions. Operating under the “trust but verify” philosophy, internal control policies frequently focus on individuals, job responsibilities, and codified processes. All of these are important areas to address with effective policy controls, but if you aren’t integrating technology into your security controls, you might be leaving a gap in your financial security strategy.
Here are five ways to incorporate advanced security technology to help you consistently and fairly apply effective internal controls to your organizational processes:
1. Use role-based security features to enforce segregation of duties – Using the advanced security settings of your financial software, you can achieve a greater level of segregation of duties for your organization. Whether the software settings are process-based (which is fairly common), or if your software offers more sophisticated account level security that can limit information available to users at a granular level, these settings can be used to enforce your internal policies within your accounting system. When possible, only allow access to accounts that an individual needs for their role in the organization. By putting these security settings in place, you can reduce the opportunity for individual or collective fraudulent activities as well as reduce the risk of entry errors
2. Enable audit trail tracking of changes – Most accounting or financial software offers some form of audit trail tracking mechanisms. Depending on the application, this could capture more or less information. Make use of this feature and incorporate a periodic review of the information captured in the audit log. If possible in your application, be sure to review transactional information, vendor change information, customer change information, and always review security change information. Try to think of this tool as a proactive way to review system changes for questionable activity and not just a research tool for use after a fraudulent act has been committed.
3. Encrypt sensitive financial or personnel information – Many financial managers rely on the data protection practices of their IT department or a consultant. It is important to remember that protecting your financial data means protecting it from sources of internal and external harm. Be sure to leverage any data encryption functionality your financial application has to offer. This will reduce the risk of someone altering data in your system, either intentionally or unintentionally, as well as protect sensitive data you might have in your system such as account numbers or social security information.
4. Proactively enforce policies through system alerts – Some accounting software might allow you to create user-defined alerts that will notify you of certain activity within the system. These alerts can be triggered by processes such as checks issued for a certain amount, checks issued to a particular vendor, or a low bank account balance. These alerts can help you enforce your internal controls by notifying individuals when specific events require action. Additionally, these can be used to save you time by automating some of your internal control processes. For example, if you require checks over a certain amount to be signed by multiple individuals – set up an alert that will notify your authorized check signers that the system has generated a check over the threshold amount. The message could ask the signers when they will be available to sign the checks. In addition to being a time-saver and helping you to consistently apply your policies, system alerts can be a great auditable trail that demonstrates your commitment to applying solid internal controls.
5. Actively manage your users – An often overlooked but critical component of maintaining your organizational security and making sure that internal controls are effective is actively managing your system users. Different applications offer various ways to achieve this. If possible, produce and review periodic reports on active users and access levels. Use standardized access groups for login creation to make sure that specific access is given to individual users. Create an organizational-wide password reset policy to ensure that active users are keeping passwords fresh and inactive users cannot login to the system. Lastly, some applications allow automatic termination of system rights to terminated employees in payroll, which can help automate an important but sometimes overlooked close-loop process.
Integrating these five technology-enabled steps into your internal control processes can greatly help protect your donors, you, your employees, and your organization from fraudulent activities. These proactive methods could help you detect questionable activity in your system much sooner than methods that rely only on after the fact detection in the audit cycle.
Using the technological capabilities of your accounting system to automate or enforce your policies not only promotes consistency in the application of your processes, but also provides verifiable proof to your auditors and stakeholders that you are proactively applying measures to safeguard the organization. By advancing your security controls, you will spend less time worrying about processes and have more time to focus on accomplishing your mission.