IT, regulatory compliance best practices for nonprofits in 2017

Think of this column as a New Year’s resolution for your tax-exempt organization. Addressing each of the questions included here will be of current and future value to your nonprofit. In this column, I provide a list of best practices that every tax-exempt organization’s management and board should consider. The topics covered in the area of information-technology controls, as well as government regulatory compliance, seem to appear in the news media on a weekly basis.

The questions below are structured so that any “no” answer require some degree of follow-up or corrective action on the part of management. Each question’s applicability to your nonprofit will depend upon whether the corrective action is practical with your organization’s services and budget size. In addition to being practical, the corrective action you implement must be scalable, affordable, feasible, and enforceable (SAFE). I believe the practical and SAFE acronym should be applied to all policies and procedures, other than those required by laws and regulations. 

Our firm, specifically its information technology (IT) experts, has presented a number of seminars on the topics of IT privacy and security controls. In attending these seminars, I was motivated to provide the following list of best-practice policies and procedures in this column. However, since I am not a technology wizard — I’m more appropriately labeled as a dinosaur — I decided to meet with two of my IT partners, Carl Cadregari and Charlie Wood. I sought their focused recommendations for their “Top 10” best practice areas. The results of that meeting and discussion produced the following recommended questions:

[elementor-template id="66015"]

• Does the organization maintain an information-technology hardware and software replacement plan?

• Does the nonprofit have an annual IT work plan?

• Does the organization perform internal and external penetration testing on a periodic basis, annually or more frequently using external professional consultants?

Advertisement

• Does the nonprofit audit key and critical vendor compliance to the data security and privacy laws it must meet?

• Does the organization have the necessary software to document attempted unauthorized access to its IT network and applications, commonly known as SIEM (security information and event management)?

• Does the nonprofit back up its key software-application files daily and store the back-up files in an off-site location?

• Does the entity have a well-documented and practical disaster-recovery plan that is tested to verify that the back-up and restore function is functioning properly?

• Does the organization have a cyber-liability protection rider on its general-liability policy?

• Does the nonprofit periodically test for employee compliance with its policy to prevent unauthorized access to its network and software applications? This testing is periodically required to minimize the risk of unauthorized hacking from outside parties that involves increasingly sophisticated techniques.

Advertisement

• Does the organization have effective data encryption across all its confidential data everywhere it is at rest, in transit (i.e. emails) on all portable devices (including smartphones).? 

In addition to the meeting with Carl and Charlie, I also met with Paul Mayer and June Crawford, experts in our regulatory compliance practice group known as 

Compliance Solutions. I asked them for their Top 10 questions list for compliance with laws and regulations. They provided the following:

• Has the nonprofit’s compliance officer been diligent in preparing an annual audit work plan that is reviewed by senior management and the audit committee?

• Has senior management completed an enterprise-wide risk assessment that has adequately identified both internal and external risk factors?

• If the answer to the question above is yes, has the organization’s management confirmed that all risks, as appropriate, have been addressed in the annual compliance work plan or some other internal-control process?

Advertisement

• Has the nonprofit been diligent in obtaining business-associate agreements from all vendors, consultants, and professionals that provide service to the organization and may have access to protected health information?

• Does the nonprofit, subject to Medicaid compliance requirements, diligently complete the OMIG compliance program effectiveness review self-assessment?

• Does the organization, subject to Medicaid compliance requirements, submit the required annual regulatory compliance attestation report to the OMIG each year?

• Does the entity have sufficient documentation regarding cost-allocation procedures in compliance with the cost-reporting regulations of its various funding sources?

• Do the nonprofit’s program activities and services match the defined mission of the organization as reported on its IRS Form 1023 application?

• Regarding the nonprofit’s retirement plan, have all amendments been reviewed by legal counsel to document that the amended plan is compliant with DOL and IRS regulations?

Advertisement

• Does the organization’s compliance officer meet with the appropriate board committee in executive session on an as-needed basis, but no less than twice each year?

The best defense is a good offense. While the best practices referred to above are certainly not all-inclusive, conducting a review of these areas, with appropriate modifications, will certainly enhance the protections that tax-exempt organizations need to address in the era of technology revolution.                  

Gerald J. Archibald, CPA, is a partner in charge of the management advisory services at The Bonadio Group. Contact him at (585) 381-1000, or email: garchibald@bonadio.com

Gerald Archibald: