Best Practices for Securing Valuable Organization Data

Monday February 27, 2023 comments

Any accounting business and tax advice contained in this podcast is not intended as a thorough in depth analysis of specific issues. Nor is it a substitute for format information. Nor is it sufficient to avoid tax related penalties.

Hey, it's Chyla Graham, you're listening to another episode of The Nonprofit Ace Podcast here. I want to make sure that nonprofit leaders feel comfortable talking about money. Part of those conversations need to be about fraud. 

Are you susceptible to it? How could it happen? How will we stop it? How will we catch it? What will you do after it happens? And so this season, I wanted to make sure you get some of those practical tips. We are doing our fraud risk assessment, check out the show notes, you can get that download and ask yourself these questions during your next board meeting. 

This week's set of questions about the organization in action. So this is what we say we do and then there's how we actually do it. And so these are the questions you want to ask yourself specifically around cash. So who can get their hands on cash? So think about who collects money, not in theory, but in actual practical application. Who collects money? Who's doing the deposit? Who's recording the cash? Who's signing the checks? What's the approval process, when we want to spend money? Who has access to debit and credit cards? Think through the practicality, the actuality of things, so that you can say, okay, are we circumventing what we said in theory?

Think about, next, who has access to sensitive or valuable information? So think about your physical documents. So if you're still writing checks, where are the physical checks maintained? Who has access to your bank account information, who can log into the bank account, who has access to payroll information, who can log into the payroll system, who can update the payroll system. 

This is important because you want to make sure one useful thing is to have unique logins. So if you know, oh, only this person is using that login, you can better track, oh, if something goes wrong, more than likely it's this person, unless their login was compromised. You want to think about who has access to payroll information and who can update it because you want to be able to say, we're not just changing payroll based on a conversation, there's been approval, this one to the board, there is a process to this. So if you don't already have a payroll change form, Google is a very easy place to get that. 

But you want to think of, hey, what's going to be on this? One, you want to know, what was their old rate? What's their new rate? Who approved this? When is it effective? Why? Because if you send me an email, you say, Hey, you got to change Chyla’s pay rate and I don't know why. If this information is wrong, I have no justification, I have no way to protect myself. And so when you're thinking about fraud and how it occurs, and how to stop it, you're not just thinking about the organization, you're also thinking about the reputation of your employees, and what do you need to do to safeguard them. 

So another question about your organization and action is, are you cross training staff? So when someone goes on vacation, who will do their work? A lot of fraud is uncovered when people go on vacation, and someone else has to fill in because there's a standard process. See, that's why it's important. They know, okay, these are the steps that are involved. When they go to complete those steps. They might see like, this doesn't look like that's how it was done. That seems weird. They can ask questions, because they're looking at this is what's supposed to happen. So that's why it's important that you've documented, that's why it's important that you encourage people to go on vacation, because you want to know that your system works even if they are not there. 

Another thing you should be checking on is when and on what does the board chime in on? So if your policy is saying, yes, the board approves purchases above 10,000. If we were to look at your cash records about cash that went out and I look at your actual minutes. Those aren’t mentioned. So it's a clarification that needs to be done on, oh, the board chimes in on things not already approved above this threshold, so that it's clear what the board is actually going to say, Yep, that's our fault, we missed that. They might say, oh, we should have caught that a different way. It wasn't because the approval went out wrong. 

The other thing is like what deviations are possible? So if you know your process is that checks over $5,000 require two signatures. Does your system require that? So if the check got to the bank, would they still cash it? Yes and that's a deviation from your system. And a possible solution is to look at a system like where it says you can put in those parameters. We need approvers. So because they're digital, they're not physically signing the check. There's a different way. So you say, Okay, we need two approvers if it's above this amount, and because is not personally invested, there is no sob story you can tell, like, can we not do it this one time? is like, well, when that second person approves, that's when I will send this check out. 

And so think about that as you get through this week. Think about the things that your organization actually does. Not what it says it does or what it wants to be doing but what actually is happening at the organization so that you can document that. Compare it with what you're targeting to do and you can work towards it, you can think of ways to improve. 

Remember, during your fraud risk assessment is not just about protecting the organization. It's also about protecting the reputation of your employees and your workers. All right, then. Have a good day. This has been another episode of The Nonprofit Ace Podcast.


Visit Us On The Web

Join Our Newsletter

Schedule a Strategy Call

Sign-up for Six Week Course: Impact Basics

Follow us on Instagram

Like us on FaceBook

Follow us on Twitter

Connect with us on LinkedIn

Fraud Risk Assessment