Community IT Innovators Nonprofit Technology Topics

New Nonprofit Auditing Requirements SAS145 with Johan Hammerstrom

Community IT Innovators Season 5 Episode 51

Share episode

New nonprofit auditing requirements SAS145 now include IT and cybersecurity compliance. Are you ready?

In 2022 the AICPA Auditing Standards Board (ASB) issued Statement on Auditing Standards (SAS) No. 145,Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. The new standard became effective for audits of financial statements for periods ending on or after Dec. 15, 2023. For more on SAS 145 changes, read this article in the Journal of Accountancy.

For the first time, SAS No. 145 now provides explicit definitions for the terms general information technology (IT) controls, IT environment, and information-processing controls. In addition, as IT utilization brings additional risk, the new guidance expressly defines risks arising from the use of IT.

As audits proceed with the new guidelines, we expect a learning period for auditors, IT professionals, and nonprofit leaders. If you have questions about what the new requirements entail, you are not alone. Community IT has begun to field questions from our clients and their auditors about IT systems and cybersecurity controls. We will continue to share our insights and advice with our community as audits evolve to incorporate IT security.

We're happy to see IT security requirements finally addressed in financial audits 
and look forward to helping nonprofit leaders and auditors better understand the interplay of well-managed IT with better financial security and protection from bad actors.


Listen to CEO Johan Hammerstrom explain the changes to the guidelines in SAS145 that you will need to know whether you are in nonprofit IT, financial, or leadership roles, or an auditor looking for insights into the IT management side of the new requirements. 

Since the new nonprofit auditing requirements SAS145 impact everyone in nonprofits, please contact us if you have more questions we can help with.

_______________________________
Start a conversation :)

Thanks for listening.


Carolyn Woodard: Welcome everyone to the Community IT Innovators Technology Topics Podcast. I’m Carolyn Woodard, the host, and I’m here today with our CEO, Johan Hammerstrom, who’s going to tell us a little bit about some interesting new requirements for auditors. Johan, would you like to introduce yourself?

Johan Hammerstrom: Yeah. Thank you, Carolyn. My name is Johan Hammerstrom. I’m the CEO at Community IT. 


What is SAS145?

One of the things that has been interesting lately is that the AICPA, the American Institute of Certified Public Accountants, they released a new Statement on Auditing Standards, also known as an SAS. The Statement on Auditing Standards, number 145, which was released, I think around this time last year, expanded the scope of risk that auditors need to evaluate when they’re conducting an audit.

That scope now extends to IT related risk. Financial audits are something that all nonprofit organizations have to do. Typically, they look for financial risks, and they want to see and make sure that the organization has adequate financial controls in place, safeguarding the financial assets of the organization. 

SAS 145 has expanded that scope to start to examine IT-related risks. I think largely because IT risks can lead to financial risks .. There isn’t much separation between IT risks and financial control risks, or in some ways IT risks ARE financial control risks because there are pretty significant impacts to suffering of an IT-related incident. 

So increasingly, I think nonprofits are going to start having more requirements from their auditors to demonstrate that they have effective IT risk mitigation in place.

That’s something that’s been interesting to see. We’re starting to get questions from clients who, having gone through their audit, are being asked to provide proof of IT risk management, IT risk assessment, cybersecurity and other IT controls that can help them mitigate their risk.


Who Has the Answers? 

Carolyn Woodard: Is this something that auditors, who used to be mainly financial auditors, are receiving their training as CPAs, and then they have information and knowledge, that they can help the nonprofits understand what the new items are, that they’re going to include on their audit? 

Or is this something that nonprofits really have to look to their IT professionals to answer the questions that the auditors are asking?

Johan Hammerstrom: That I don’t know the answer to. How do we know? I am not an auditor. I have zero background with public accounting practices. I’m not a good person to weigh in on that. 

I’m speaking from the perspective of someone who owns IT for a lot of nonprofit organizations and is getting questions and requests from auditors or getting redirected to us. 

I think the SAS, I’ll read this statement from the Nonprofit Accounting Basics website

“SAS 145 requires the auditor to identify general information technology controls that address the risks arising from the use of IT and evaluate their design and implementation.”

Auditors cannot continue to audit around IT controls. They have to audit the IT controls themselves. This is new.

My best guess is that most auditors don’t have a strong background in IT. 

There’s probably going to be a combination of professional development and continuing education directed towards the accounting community to get better in this area and then also potentially bringing in third parties that could help with that evaluation.

It’s very similar to what you see in cybersecurity insurance applications where the questions come up. And if you’re looking at them from an IT perspective, oftentimes you have more questions. “Well, what do you mean by this? What does this refer to?” Sometimes the questions on an insurance application are worded in a way that doesn’t actually make sense in terms of the IT systems that are in place. And then oftentimes you’ll go back to your insurance agent and ask them, “what does this mean?” And they won’t know.

We’re probably in the early stages of a lot of learning about how to best implement these standards. 

I certainly applaud adding more IT oversight into financial oversight of non-profit organizations, but I think it’s early days and there’s probably several years, if not half decades of development awaiting us as best practices are identified.

Carolyn Woodard: Absolutely. It’s good that you brought up cyber insurance, because that was what I was thinking of. And the first few years that those additional cyber insurance requirements were being required by insurance companies, it really felt a little bit like the insurance providers themselves didn’t have a ton of the knowledge that they needed to be able to explain them to their clients.

And we know that that’s getting better. But they do still rely a lot on IT providers also to figure out what they’re talking about and what will qualify as those controls.

So, I imagine that is going to also happen with auditors. But it seems like something that should have happened several years ago. I’m glad they are doing this now.


How to Answer the New IT Questions?

Would you say to clients that are facing this in their audit don’t panic if you’re seeing a lot of new requirements? Work with your auditor and then work with your IT provider to answer those questions?

Johan Hammerstrom: Yeah, definitely. I mean, what we’ve seen so far in terms of the types of questions that are getting asked are generally all answerable if you’re following basic IT best practices.

If you’re evaluating your information systems on an annual basis, if you’re implementing foundational IT policies, and you’re implementing good industry standard IT security controls, then you’ll easily meet the requirements that are being added to financial audits.

I think it’s a wakeup call for organizations that haven’t maybe been giving sufficient attention to their IT, and especially, I think, smaller organizations that have maybe been perfectly fine with an accidental techie. They have someone on staff who’s, I’m talking about 10 to 15 person organizations, that they don’t necessarily need an outsourced IT vendor to support them at that size. And maybe they have someone who’s capable of getting their tenants set up in Google Workspace and doing basic configurations on their equipment. They’re not necessarily going to have the professional expertise to write an IT security policy or implement all of the controls that would be considered industry best practice. 

I think those are the cases where organizations might need to put more work into their IT than they’ve typically had to.

Carolyn Woodard: And for a good reason. I mean, adding this to the audit is going to help those types of organizations identify where they have vulnerabilities and vulnerabilities to their donor information, their advocacy information, the databases that they’re keeping, and all of those are good to put additional cybersecurity in place. Hopefully this new requirement will help identify some of those areas where organizations need more protections.


Implement Cybersecurity Awareness Training

Johan Hammerstrom: Some of the things that we’ve seen are very standard and things that every organization should be doing. One of those would be security awareness training. That’s something that you see on insurance applications, and you’re starting to see it in the feedback that’s being provided by auditors.

A good security awareness training program is probably one of the best protections an organization can put in place to prevent attacks, to prevent loss of data, loss of information, to prevent loss of funds.

And there’s some great systems. We use a system KnowBe4 at Community IT that is very effective. There are a number of really good solutions that are, you know, they’re generally, they’re systems. You don’t have to put together a training program yourself. It’s all kind of pre-built. And it’s updated on a regular basis to keep up with the latest threats and attacks. And these security awareness training solutions aren’t that expensive. They’re just a really good thing to have in place.

So, that’s one basic recommendation that’s easy to implement. And I think the biggest challenge that we’ve seen to getting a security awareness training program in place comes from senior leadership or from organizations that have some sort of, let’s say, organizational culture resistance to doing those sorts of training activities. Because that’s an initiative that is 10% technology and 90% change management.

Carolyn Woodard: And just like more of an HR function in some ways. This is your staff, your staff have to have certain trainings. And training is so different today too than it was. I mean, for most organizations, it’s not once a year watch a stupid hour-long video where you can just fast forward through and answer the same questions from last year.

Best practices now are the continual training in shorter videos or short questionnaires. And as you said, that’s a really good investment in your security and in your staff.

Johan Hammerstrom: Yeah, that’s one that I’ve seen pretty much universally asked on applications and audit forms. And then you can just put that in the employee handbook. You can make it part of your IT policies that employees have to participate in cybersecurity training.


Other Best Cybersecurity Practices to Tell Your Auditor?

Carolyn Woodard: Are there other best practices that come to mind that are pretty commonly being asked about, like MFA protections or other financial controls that organizations might already have or might need to look into?

Johan Hammerstrom: We consider MFA one of the best ways to prevent account compromise. Having multi factor authentication implemented and enforced for all of your staff is probably the best way to ensure that your accounts aren’t going to get hacked, and hacked accounts create a host of other problems and issues. It’s the way in which a lot of threat actors gain access to an organization is by hacking someone’s account. Multifactor authentication really is the best way of preventing that from happening. 

Interestingly enough, it’s not universally asked on these applications, and I don’t know why that’s the case. You kind of wonder if the entities that are putting these applications together really understand the technology behind it, because sometimes it doesn’t get asked at all, and other times it gets asked, but in ways that are just sort of a blanket statement, and aren’t necessarily appropriate to the specific IT systems that an organization has. 

We would strongly recommend MFA, regardless of whether or not it’s something that your auditors or your insurance carrier is asking about. It’s not always required by those entities, although I’m sure that will change at some point.


Documents and Governance Policies

Carolyn Woodard: Are there any other questions for people to be aware of that are getting asked?

Johan Hammerstrom: Well, especially with audits, where auditors are reviewing controls, they’re asking to see documents and policies. I think that’s what you might need to prepare yourself to put together. 


Templates

There are plenty of templates out there. Some are very basic. Some are extremely involved and complicated. And you can use those templates to put together your policies. 

But often, my recommendation is start with the policies that you have and use that form and format because it’s going to vary based on the size and complexity of the organization. A 10-to-15-person organization isn’t going to need the same type of policy document that a 200- or 300-person organization is going to need. It’s going to be overwrought for a small organization if you’re using it. The NIST, the National Institute for Standards and Technology, has the foundational template for IT policy and controls, and it’s extremely long and involved. 


Who Sets Policy?

I think the other thing to keep in mind is that you can’t just go to your IT person or IT support provider and say, “hey, can you give me the policy document?” The policy is meant to reflect actual controls that an organization has in place.

So simply having a document that you’ve copied off of the Internet, that you haven’t actually walked through and said, “here’s how we’re going to implement these different controls,” is not going to work. Like I said, I’m not an auditor, so I don’t know how far that would take you. 

To actually put together a credible policy and control document requires time. If you don’t have one, you don’t have one. If you need one, it’s going to take time to put one together, and it’s going to require the buy-in of the senior leadership of the organization. 

So, I guess that’s my recommendation, if you think you’re going to need to put together a policy and controls document, brace yourself for the work that’s going to need to go into doing that. Because the document reflects the organizational work that’s been done to implement the controls and policies. It’s a reflection of it. It’s not the work itself.

Carolyn Woodard: I’ll just jump in and say that we do have a bunch of resources on our website around IT governance. We did a webinar last spring Making IT Governance Work for Your Nonprofit, and we have a lot of links there to some templates and a list of the typical policies that you might need to have.

And we also talked a little bit about this in the webinar that we did with our cybersecurity playbook for nonprofits, which is a free download on our site. And the bottom level of what we talk about in that playbook is your policies, and the top level is the compliance. It’s not enough to have, like you said, just a document that somebody just took off the Internet and didn’t even really change, and that has like 85 points of something or other that we’re planning to do.

The top level that’s owned by senior leadership is, are we complying with the policies that we have?

If you have a policy for off-boarding staff, for example, when they’re no longer employed by you, and part of that is deleting those accounts that have access to your data and could be compromised as we were talking about, that’s good. But you have that policy, but no one is checking if that policy is being followed. Are those accounts being deleted and retired? If not, then you just have a kind of worthless piece of paper. You’re not actually doing those practices.

I like the way you put it that if your auditor or insurance isn’t asking about those things specifically, you might be able to squeak by with that document off of the Internet. 

But are you doing enough to protect your organization is kind of a deeper philosophical question that you need to be talking about with the stakeholders at your organization.

Johan Hammerstrom: Yeah, and I haven’t seen a case where organizations need to submit policy documents for insurance coverage, although you do see it in other areas of insurance, particularly with other types of liability insurance, employment practices liability, for example. You probably need to submit your employee handbook, the carrier needs to have some of that information on file, and you’re signing, when you go to submit your application, you’re attesting to the fact that you actually comply with the stated policies that you’ve written. You don’t want to be in a situation where you’re submitting a policy document that’s vaporware, and that it’s a lot of good notions that aren’t actually being implemented.

And I think it’s the implementation that’s the challenging part, and that really needs to get the focus. And oftentimes, it requires both organizational support, particularly from senior leadership, as well as operational maturity.

If the organization has got its operations in order, then it’s not that hard to add in the IT operation and IT operational management that’s needed.

Carolyn Woodard: Well, those are all good. It’s very good information to have, Johan. Thank you so much for being with me today and sharing this new information that’s coming at us. Thank you.

Johan Hammerstrom: Yeah, my pleasure. Thank you, Carolyn.