What steps can your nonprofit take to follow the new SAS145 auditing guidelines and assess IT risks causing financial risks?

New auditing requirements on cybersecurity and SAS145 require nonprofit auditors to consider IT risks in addition to financial risks and mitigation. Learn from Darren Hulem, cybersecurity guru and senior manager in risk advisory at GRF CPAs and Advisors on the new requirements and how they may impact cybersecurity at your nonprofit.

Listen to Podcast

Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on AppleSpotifyGoogleStitcher, Pandora, and more. Or ask your smart speaker.

Cybersecurity Best Practices

Darren also explores and describes other cybersecurity threats that are targeting nonprofits, and best practices to defend against them. Darren is a certified ethical hacker and certified information systems auditor.

SAS145 is a statement on accounting standards that provides guidelines on a more holistic view of your risks and defenses that includes IT risks. This is a welcome move since for a decade at least IT risks have been growing in impact on financial crimes targeting nonprofits such as phishing email initiated wire fraud, account compromise, spoofing, and other financial compromises and crimes.

Darren provides an overview of the types of risks he sees at nonprofits and some simple steps organizations can take to vastly decrease those risks. 

Some Key Takeaways:

Presenters

Darren Hulem


Darren Hulem is a certified ethical hacker and certified information systems auditor with GRF CPAs and Advisors, where he has over six years of experience. Previously he worked as a systems engineer and analyst and started his career working with nonprofits.







Carolyn Woodard


Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.

She was happy to have this podcast conversation on cybersecurity and SAS145 with Darren Hulem, to delve a little more into the cybersecurity support for nonprofit auditors and hear Darren’s advice on avoiding risks and common scams.

Ready to get strategic about your IT?

Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.

We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about productivity, change management, and implementation of new technology, you shouldn’t also have to worry about understanding your provider. You want a partner who understands nonprofits.

We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.

More on our cybersecurity services and cybersecurity resources here. If you are worried about cybersecurity and SAS145 guidelines, talk to cybersecurity experts who know nonprofits.

If you’re ready to gain peace of mind about your IT support, let’s talk.

Transcript

Carolyn Woodard: I’m sorry, you didn’t have to dress up.

Darren Hulem: I didn’t. I was like, I’ll put a polo on in case. 

Carolyn Woodard: Well, welcome to the Community IT Innovators Technology Topics Podcast. I’m your host, Carolyn Woodard, and I’m very excited today to be here with Darren Hulem from GRF. And he is going to tell us a little bit more about the new accounting standards that include IT risk assessment.

Darren, could you introduce yourself?

Darren Hulem: Yeah. I’m Darren Hulem. I’m a Senior Manager in GRF’s Risk Advisory Practice.

I focus on cybersecurity, IT, all the fun tech stuff that’s my wheelhouse. My background is coming from working at various MSPs or managed service providers in the DC area. And then I’ve moved more into the risk advisory practice. I’m more consulting with clients than in the middle saying, hey, this is how you can fix things. 

I am a certified ethical hacker, a certified information systems auditor, auditing IT systems. And that’s where SAS145 comes in.

SAS145 Accounting Standards Guidelines

SAS145 is a statement on accounting standards, number 145. It looks at more of a holistic view of the organization, really focusing on risk assessment. So when you get your IT form or your IT risk management form from your auditors for your financial statement audits or your uniform guidance audits, any of those types of audits that ask for it, they’re really just trying to see, does the audit team or the financial side of the team, do they need to augment their testing in any way? And if so, they’ll do that. 

That risk assessment really identifies, hey, are we having heightened risk? Is the risk level low, medium, or high, depending on how the organization is designed? Do they have on-premises systems? Are they leveraging all cloud? Do they leverage all internal staff? Do they leverage any outside service providers? And are they monitoring those outside service providers? Are they doing third-party risk management?

Monitoring Vendors

Everybody’s moved to the cloud, which is great. Let the cloud experts be experts and let us focus on our mission or what we do. But at the same time, we still need to monitor those trusted parties.

I mean, malicious actors don’t go after, well, they still go after everybody, but why go after one when I can go after one company that supports 50? So go for potentially the weak link in the chain. Everybody’s going to eventually get looked at as just who’s protecting everything. And a lot of times people assume that, hey, they’re a big third party. We’ve seen Equifax, a very large company that has had issues with patch management and our social security numbers are all out there.

Carolyn Woodard: I think we often recommend that you need to have that vendor list because you need to know. Sometimes the vendor won’t tell all of their clients right away, they’re trying to fix their problem internally, and then finally you find out. You do need to know that you’re exposed in that way to those vendors.

Darren Hulem: A lot of times people don’t even know who their vendor list is. Sometimes they even have to go, hey, who do we pay? Let’s see what they even do, what department needs them, or who’s asking for reimbursement for this service. We have another service that’s the same thing, why are we not using that? That’s consolidating vendors and bigger analogy. Why are we paying two mass marketing tools when we can actually do one? Does one do one better? Doing an assessment and learning the vendors, really understanding that potentially saves the organization money.

Closing Unused Accounts

Carolyn Woodard: You too want to check on those accounts and subscriptions because it does happen that we have clients come to us and we do that assessment as part of bringing them on as a client, and we’ll find 20, 30 staff who have departed, but those accounts were never closed, or those subscriptions were never ended. Hopefully none of them left in a huff, but if they did and they still have access to that account, that’s not good.

Darren Hulem: Right. Especially what data is in those accounts? Is it PII? Is it donor lists? Is it your secret sauce for your organization?

Carolyn Woodard: Your network, people that you’re working with, partners?

Darren Hulem: Or are you leveraging a third party, that person that you gave access to the system, maybe they’re not there anymore. So, who’s monitoring that account?

Carolyn Woodard: All good things to know.

Risk Assessment at Nonprofits

Darren Hulem: SAS145 or the IT form in general is a risk assessment tool. It’s supposed to help the audit, the financial statement auditors, if they need to augment their testing in any way. 

Say, for example, if the client had a breach, or if everybody shares one account for the accounting system, okay, well, that’s not best practice. You would see that pop up as an issue. A lot of times they say, oh, well, we don’t have information security policies or procedures. Or our outsourced IT does. That’s great that they have them. They should there should be ones for the organization. Your outside IT can help, a third party can help, or you can develop them all internally that they should follow. And they can kind of say this is a best practice, we should do this. 

But unless they’re designing one specifically for you, it’s a general one that says, hey, we’re going to contact our POC at the client. It’s not going to say we need to bring this system up first and this order. There’s a special order or this is who we need to contact. 

Most of the time, it will be the point of contact, but there should be something designed that says, hey, Community IT or any other MSP needs to contact John. He’s the main person and let him know what’s going on. And maybe it’s a cadence of every hour or every two hours, if it’s a ransomware vendor or something like that.

Carolyn Woodard: And often we will say, and if John isn’t available, who is the next person on the list. And our best practice is after talking and hearing people’s stories too, is to have that list in a physical copy. Because if it’s in the system that’s being held ransom, you’re not going to be able to call people.

Darren Hulem: That safe place that has everything is no longer safe and it’s not there anymore.

Carolyn Woodard: And it’s the opposite of what we usually say, right? Don’t put it on a sticky note on your laptop, but you need to have it in a physical document, and it needs to be updated, right? That that’s the current list of who the contact tree is.

SAS145 as Auditing Tool

Darren Hulem: Really SAS145 is a tool to better understand the risk environment so that auditors can do a better job and find out what security is in place. It’s not necessarily new questions, it’s more of just do a deeper dive, look and see what is actually going on.

We could say in the past, hey, we have an accounting system, and we have permissions on there. Everybody has a different account. Okay, that’s great. And that’s most likely what it was. 

Now it’s looking at, okay, how many admins do you have in your accounting system? Is it one person? Is it everybody? 20 people are admins that they all have the same thing? And is somebody reviewing what changes are being done?

We’re not necessarily going into testing, in a traditional audit sense. Testing if everybody has this access and they’ve had this access for 12 months, or they just turned it off because the audit time came in. We’re not doing a deep dive because remember, it’s just a risk assessment to see if we need to augment our testing at all.

Carolyn Woodard: I guess what I’m hearing you say is that it’s still a matter of best practices. The new guidelines aren’t always asking for very specific risk assessment, like drilling down into those specifics, but they are asking, do you have these types of protections? Is that fair to say?

Darren Hulem: Yeah, I would say that’s fair to say.

Carolyn Woodard: And then those protections, you have a standard of best practices. I mean, Community IT also, we have been saying so far that if you have put our best practices in place, you should be fine with these enhanced audit questions.

Darren Hulem: Right. And some of the ones that we put as best practice are, for example, we recommend you have cybersecurity insurance. Obviously, that’s communicated to the board or the people making the decisions at the organization, or the people that are in charge of managing risk. Sometimes it’s not the CEO or the president or the director. It is usually the board who is charged with that responsibility. 

As long as the board is apprised and makes a decision, hey, we think it’s great and we agree with you; or our risk tolerance is a little higher and we feel like we can’t maybe afford it, or whatever the case may be; they can ultimately make the decision. That’s something like the best practice. We’re not just going to keep on the management letter comment just to leave something on there. If you’ve made a decision, you’re aware. 

And other ones are enterprise risk management. Obviously, the IT forum, everybody goes IT forum, right? It’s focused on just IT. It’s actually IT and risk management. It’s how the organization manages risk. So that can be HR, talent management, it can be a variety of things. Obviously, economics, right? That’s a big one. Or funding, if you’re using government grants and stuff, that’s obviously a big one that’s come up recently.

IT Risks in a Holistic System

A lot of people focus just on the IT aspects. And we try to say to the organization that’s great, focus on IT, but let’s do the whole organization. If you depend on the size of the organization, some of it makes sense, sometimes they don’t have the bandwidth, unfortunately, just because sheer size and time.

Carolyn Woodard: I think that is so interesting about adding in the IT aspect to the regular financial audits that are assessing risk, is that as you’re saying, it’s a holistic system. So, if you have an organization culture that is paying attention to risk management, then IT would probably already have been in there.

Darren Hulem: Right.

Carolyn Woodard: It’s one of the things you need to consider. It’s a huge thing you have to consider around risk.

Darren Hulem: Right. IT is usually going to be on that top list in some way, shape, or form if you group things in different ways. But IT is typically up there unless you don’t have any IT systems. And it’s not very many organizations that have zero. I mean, I could probably think of a handful. Nonprofits generally don’t have risks like if IT were down for a day, our organization is done. We’re not a cloud provider, like AWS or something like that. It’s not going to be the end of the world for some organizations. Some it is, but obviously a medical facility, that could be a huge issue because it’s a life or death at that point. If it’s a content-based mission, then maybe people can’t get to it that day.

But obviously, that’s a risk that the organization has to determine. Do we have the funding to do that? What’s our risk tolerance level? Are we okay with it potentially going down? Obviously, nobody wants to go down, but if something happens, do we have to spend x, y, and z money to make sure it never goes down? Or will we be okay with it? Well, it goes down for an hour. People go get a lunch and come back.

Costs of Mitigating Nonprofit IT Risks Don’t Have to be Expensive

Carolyn Woodard: Exactly. One of the things we’re finding too is that, when you hear audit and you think about a non-profit financial audit, you just think about money and how much of the risk am I going to mitigate versus what is that going to cost? 

But a lot of the cybersecurity and IT risk mitigation doesn’t necessarily have to be super expensive, it just has to be intentional.

A training program for your staff, that doesn’t necessarily have to be super expensive, but it can be just a monumental way to keep those risks down, stop phishing e-mails or that sort of thing. Wire fraud.

Role of Policy in Mitigating Nonprofit IT Risks

Darren Hulem: Yeah, definitely. 

Carolyn Woodard: I mean, a lot of it is training people, having a written policy that people are aware of. Because obviously, if it’s not written, someone will be like, well, I didn’t know I was supposed to do that, or I wasn’t supposed to do that.

Darren Hulem: A lot of things for the financial statement audit are really making sure you have correct segregation of duties. Obviously, if you’re a small organization, you’re limited in that there needs to be some way to monitor that fraud or something else isn’t happening. 

Even maliciously or unintentionally, people make mistakes. I mean, that’s part of the reason why there are audits, because people make mistakes. That’s why erasers are invented, right? Erase and start over.

But a lot of people, they’re a small organization, they say, well, we can’t really have segregation of duties. Well, let’s think of a way to do it. 

The board is ultimately responsible for risk oversight. Send somebody on the board, like every quarter, to say, here’s the report from QuickBooks Online of any new vendors at it. It’s a great deal. So they can be, okay, there’s a new vendor, why are there 20 new vendors? We make one payment to one of them and never see them again. Maybe that’s an issue. Maybe it’s not.

It’s really that someone is always watching, whereas my boss always says, in IT, who’s watching the watcher? IT has always been the person that’s monitoring, supposedly monitoring, but it’s who’s watching what they’re doing. Because in the past they could theoretically have done whatever they wanted. They had admin rights to everything, and now a lot of organizations, especially the middle, the medium-sized and smaller ones, they outsource that. 

A lot of times, Community IT does not have access to QuickBooks Online. When I worked for MSP, I didn’t want any access to that. I can make sure you can get to it, but I don’t want to be in there. It’s just not something I want to be responsible for. I don’t want to be on the hook if something goes wrong. Just keep me out of there.

Best Practices

Carolyn Woodard: Exactly. We’ve talked about a couple of things for best practices. You’ve mentioned right away having the policies, having that employee handbook that has the acceptable use and the other policies around IT use and IT risk.

It sounds like you’re saying that responsibility needs to be owned by someone. It could be someone on your board, it could be someone in your executive team, it probably shouldn’t be someone in the IT team, or it definitely shouldn’t be someone in the outsourced IT provider. Defining that ownership and responsibility is important.

We talked about training being very important to add training in or have training around those policies clearly. 

Are there other areas? We’ve talked a little bit about what do you do when something goes down, for example, or if you do discover something suspicious, or an employee who’s been through the training says, oh, I clicked on this thing and now I’m really suspicious. I think I sent the money to the wrong place, or I think I clicked, now my laptop is acting funny, and I don’t know what happened. What is the best practice around that?

Darren Hulem: Yes. Obviously, the first thing that I would do is contact your IT provider if you have one. It’s so much better to be honest and say, hey, a mistake was made, we’re human. Instead of hiding it and pretending it didn’t happen, that’s almost worse because it looks like something. Were you trying to hide it on purpose? Organizations should definitely not come out and say, if you do this, you’re fired. Then people aren’t going to report it. I made a mistake; I don’t want to lose my job. Being able to have a safe place to say, hey, I made a mistake.

Obviously, if it keeps happening, then that’s a different issue. But one time, let’s get ahead of it.

There should be a lot of controls in place so that doesn’t happen, and that’s part of the reason. I click the link, but it still has to go through someone else for a payment to be processed. Having those additional controls in place is definitely a good thing.

We definitely recommend organizations have an IT or cybersecurity risk assessment. Once a year, every other year, something along that cadence, and then based upon any gaps found there, develop a policy or a procedure that says how are we going to fix or mitigate those, any issues or any weaknesses. 

I know we spoke about, access controls and having other people do things and making sure that everything is secure. A lot of people use an outsourced accounting provider. There are tons of them out there, tons of accounting firms that do bookkeeping and tax preparation, and things like that. 

A lot of times we see is in the audits and say, hey, I use so-and-so provider, and they have access to my QuickBooks or Sage Intact or whatever accounting system we use, and we have no access into it. Well, who’s monitoring what they’re doing? Yes, there are reputable firms out there, but you are ultimately responsible for it. You should be aware of what’s going on with all your outsourced providers.

A great example, I think is, okay, I go to the bank. I go to Bank of America or M&T or whoever it is. And say, here’s my money. They’re in charge of it. I can’t look and see. That would be a problem. I wouldn’t say “hey just do everything for me.” No, you’re going to want to know where your money is going, unless you have like an exorbitant amount that you really don’t care. But a lot of us aren’t in that position.

Carolyn Woodard: So well, I would say even especially if you have an exorbitant amount, keeping an eye on it.

Darren Hulem: Right. To keep it like that.

Nonprofit Security Resources Right Under Your Nose

Carolyn Woodard: We talked a little bit about that phone tree, what the resources are when you do have any issue. I mean, I know if you use QuickBooks, they have a lot of resources and tutorials and support for being safe in your money transactions. So that’s a resource that you can use.

I know if you have insurance, they’re usually the first one you’re supposed to call if there’s something that’s really going wrong.

Darren Hulem: I would probably call my managed service provider if I had one before I call the insurance company, just to be like, hey, is this a real incident event that happened? And if yeah, unfortunately, then I would say call your insurance provider. 

Just because depending on who they are, you never know if it’s going to potentially raise your rates from being like, oh, what happened? You probably should do an investigation to see. But if you already have someone that can help, it would be like, yeah, we really think we should call them. There’s probably an issue here. I would definitely leverage that. If you don’t have it and you don’t have somebody that can do that on staff, then I would definitely recommend contacting your insurance provider and saying, we think there’s something that happened, what’s the next step? What do we do?

Obviously, if you’re paying for a service, make sure you’re getting the whole use of it. A lot of times, those insurance providers add additional services in there like coaching, training or different things. So always ask them what else is in this policy? Is there anything that I can do to lower my rate? What would lower my rate? Do I need to have a risk assessment?

A lot of times I’ve seen, and obviously I’m not an insurance broker or anything like that, but I’ve seen is they ask, do you have an incident response plan? No? Okay. Well, that may increase a little bit. How secure are you from a public perspective? What can a hacker see of you? What can OSINT or open-source threat intelligence see of you? 

If that’s higher, then you’re not necessarily saying you’re an easier target, but you have the perception publicly that you are an easier target. Obviously, you could still be targeted if an organization just doesn’t believe in your values or whatever the case may be or what you do, then obviously you may be looked at and targeted from that perspective.

Another thing is cyber awareness training. Do your staff know what to look for? Are you at higher risk of having an event where obviously insurance likes to keep the money and not really pay out? How do you lower that risk? 

Risk Assessment Rewards for Nonprofits

I said, risk assessment definitely helps build your policy. It’s a pathway, right? Find out all the assets we have. Where do we save all our data? What is quote unquote sensitive? And that can be different for every organization. 

A lot of times I hear people say, oh, we don’t have any PII, so we have no sensitive information. We don’t click credit cards, we don’t take social security numbers, so we don’t really have important information.

Your donor list is probably really important to you.

So as a hacker, if I got your donor list, I would start contacting them and saying, hey, here’s a new routing number, here’s a new to give us donations, right? That would be a problem, especially if I spoofed your email, maybe what I send to your business email account, make it look like it came from John’s email at x, y, and z organization. Here’s our new routing number, send us the money, we make donations. Instead of going to the organization, it goes right to me.

Start with an Assessment

Carolyn Woodard: I love that you talked about one of the first steps being that assessment. I know that we do have new clients come to us often and say they want something super sophisticated like pen testing or something on the higher end of testing for those risks, cyber risks. And we’re often just asking them, what do you have in place now?

First, you want to know what do you have in place? You don’t want to pay for a really expensive test that’s going to tell you, you are missing some fundamental things. Just do an assessment first and working to mitigate the things that come up in the assessment. And then if you still feel that you’re in an area, you’re at a size, you work in an issue advocacy area where you’re under increased risk, maybe you do need that more sophisticated testing. But start with an assessment.

Darren Hulem: 100 percent. Start with an assessment. Because if you can do a vulnerability scan that’s a fractional cost, you can be right away, say, hey, you have this vulnerability that is rampant in the wild right now.

Why pay for a 10 times 10 test to tell you the same thing? I can tell you that this is a vulnerability. Do you want me to get in and show you a good screenshot of your file? I can tell you, but it’s going to cost you a lot less money to have the same result. 

Pros and Cons of Penetration (Pen) Testing

Not saying pen tests aren’t important. They are very important, depending on what your organization does and where your data is stored, that is very useful. A lot of people say, I want to pen test. Okay, great. What can we want to do it on? A lot of times they just want to pen test on everything. That is very expensive. Usually, they are very targeted to say, I want to test this website, or this website, or this web application, one, two, three, I want all those done. Or I want internally, or I want a lot of people say, I want a vision simulation. Great. 

That’s the social engineering test. That can be email, phone, text message. A lot of times people say at the same time, we use KnowBe4, or we use some other proof points, vision or awareness campaigns. We have that covered.

Yes and no. KnowBe4 and the other ones, they’re great tools to train your staff and have templated things and everything are great to send out. At the same time, a user clicks it and it’s more, I feel like it’s more of a game to them. They’re like, oh, I clicked it, and it just says, hey, you failed. IT is going to be in contact with you. And that’s it.

They say, okay, well, just every single time that’s what’s going to happen. It’s just we find out right away and that’s it. And what really happens is people can steal your credentials. There are tools out there that go and take your username, your password. The web page looks exactly like an Office 365 login, or it looks like a Google login has the same thing. And the one thing that’s different is that one letter in that URL banner.

A lot of times when I do pen testing, I’ll say, okay, I’ll change one letter. If you have an I or an L in there, I’ll put a tilde on top of it. And unless you’re really looking, you think, that looks really looks like my organization. You switch out one of those letters with another kind of letter and it’s game over. With that, I can take your username, take your password, I can also take your multi-factor token at the same time. 

So unfortunately, MFA is not the shield that we all want it to be. It’s great to have there. It definitely deters, but you can still get past it. Trick a user to clicking that link, putting their credentials in, because I sent you a Google invite to share a document. That’s what I found out your organization uses. Say I sent this new invoice or new product offering or new grant that we got. You click it, use your name and password because you need to do that to get into the file.

And you say, oh, well, I got my MFA token just popped up in my phone. Let’s approve that. And at the same time, I take in all that information. And now I’m in. Google and Microsoft are great tools. Everything is in one spot. At the same time, now all your data is in one spot. Once I get into one thing, I have email, files, pretty much everything.

I’m not saying don’t use it. I use them, but you have to be very careful about what you’re clicking, and does it make sense? Was I expecting this email? When it’s too good to be true, it typically is too good to be true.

Carolyn Woodard: For sure. I really thank you so much, Darren, for your time today. I feel so much smarter about SAS145. And just thank you so much for sharing your expertise with us and our audience.

Darren Hulem: You’re welcome. Thanks for having me. Happy to come back anytime.

Photo by Vitaly Gariev on Unsplash