New nonprofit auditing requirements SAS145 now include IT and cybersecurity compliance. Are you ready?
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
What is SAS 145?
In 2022 the AICPA Auditing Standards Board (ASB) issued Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. The new standard became effective for audits of financial statements for periods ending on or after Dec. 15, 2023. For more on SAS 145 changes, read this article in the Journal of Accountancy.
For the first time, SAS No. 145 now provides explicit definitions for the terms general information technology (IT) controls, IT environment, and information-processing controls. In addition, as IT utilization brings additional risk, the new guidance expressly defines risks arising from the use of IT.
As audits proceed with the new guidelines, we expect a learning period for auditors, IT professionals, and nonprofit leaders. If you have questions about what the new requirements entail, you are not alone. Community IT has begun to field questions from our clients and their auditors about IT systems and cybersecurity controls. We will continue to share our insights and advice with our community as audits evolve to incorporate IT security.
We’re happy to see IT security requirements finally addressed in financial audits
and look forward to helping nonprofit leaders and auditors better understand the interplay of
well-managed IT with better financial security and protection from bad actors.
Listen to CEO Johan Hammerstrom explain the changes to the guidelines in SAS145 that you will need to know whether you are in nonprofit IT, financial, or leadership roles, or an auditor looking for insights into the IT management side of the new requirements.
Since the new nonprofit auditing requirements SAS145 impact everyone in nonprofits, please contact us if you have more questions we can help with.
Some Key Takeaways:
- SAS 145 guidelines expanded the risks and controls that auditors should review to now include IT risk mitigation in place. These include requirements to provide proof of IT risk management, IT risk assessment, cybersecurity and IT controls that protect the organization from the financial risks of cybersecurity attacks.
- As these requirements are new, we expect a learning period both on the client side of nonprofit leaders and IT providers, and on the auditor side where new questions are coming out about the definitions and adequate proof of mitigation.
- Auditors cannot audit around the IT controls. They must now audit those controls themselves. Many auditors do not have a background in IT management so we expect professional development for auditors to expand.
- The changes in these new auditing requirements are reminiscent of the changes in cyber liability insurance controls and questions around those controls and requirements in recent years. If you have started thinking more about IT controls for your insurance, you are probably also better ready to go through a new audit with the new SAS145 requirements.
- Don’t panic if you are seeing a lot of new requirements. Work with your auditor and your IT team or IT provider to answer the questions on your mitigation policies.
- If you are following good standard best practices for IT management at your nonprofit you should easily meet the new requirements being added to financial audits. You should be following these best practices anyway!
- An important best practice is a good cybersecurity awareness training program for staff. If you have not put a training program in place, you will need to do so to meet the new requirements.
- Multi-Factor Authentication is the best way to prevent hacked accounts and increase security. Whether or not you are asked about MFA in your audit or cyber liability insurance application, we strongly recommend MFA for all staff for all accounts.
- Prepare to have documents and policies to show your auditor. If you do not already have basic policies such as Acceptable Use Policy, Privacy Policy, and Data Retention Policy, for example, expect to have to create those policies to adhere to new SAS145 guidelines. We have multiple resources on the importance of IT governance and where to start, including this webinar.
SAS145 is a wake up call to nonprofit organizations who have not invested in IT management or have not implemented best practices in IT management and cybersecurity protections.
We have many free resources on our site outlining best practices, especially our Cybersecurity Readiness Playbook for Nonprofits.
Presenters
Johan Hammerstrom’s focus and expertise are in nonprofit IT leadership, governance practices, and nonprofit IT strategy. In addition to deep experience supporting hundreds of nonprofit clients for over 20 years, Johan has a technical background as a computer engineer and a strong servant-leadership style as the head of an employee-owned small service business. After advising and strategizing with nonprofit clients over the years, he has gained a wealth of insight into the budget and decision-making culture at nonprofits – a culture that enables creative IT management but can place constraints on strategies and implementation.
As CEO, Johan provides high-level direction and leadership in client partnerships. He also guides Community IT’s relationship to its Board and ESOP employee-owners. Johan is also instrumental in building a Community IT value of giving back to the sector by sharing resources and knowledge through free website materials, monthly webinars, and external speaking engagements.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.
She was happy to have this podcast conversation with Johan Hammerstrom on new nonprofit auditing requirements SAS145. Find more resources on Nonprofit IT Leadership here.
Ready to get strategic about your IT?
Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about your email safety and phishing attempts, you shouldn’t have to worry about understanding your provider.
If you have questions about the new SAS145 auditing guidelines you can contact us here.
We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
If you’re ready to gain peace of mind about your IT support, let’s talk.
Transcript coming soon!
Photo by Jason Goodman on Unsplash