Nonprofit leaders know they need to strengthen IT controls, but don’t know where to begin. The best place to start is by asking better questions. Start by asking What could go wrong?
IT controls are more than a checklist
Getting a grasp on IT controls isn’t just a box-ticking exercise. It requires a mindset and a curiosity to know if you’ll address a weakness before something goes wrong. It’s about protecting your mission. By starting with better questions, you can strengthen controls that address the highest risks to your organization. That means you’re safeguarding the trust that donors, staff, and the community you serve place in your organization.
Kickstart critical thinking
Starting with “what could go wrong” helps jumpstart a chain reaction of critical thinking. Then follow up with “why” and “how.” Hold regular tabletop exercises where key leaders come together to brainstorm risks, walk through the response, and find potential control weaknesses. Here’s an example of such an exercise:
What could go wrong? We could lose access to financial data when we need it most.
Why would it happen? A cloud service provider could experience an outage.
How would we address it? We would recover data from our offsite backup.
If you can come up with an answer to that last question, you have identified a key control. You can follow up by assessing the strength of the control. If not, you may have work to do.
Prioritize by likelihood and impact
Next, assess the likelihood and impact of each risk. Ask “how likely is this to happen?” and “how much damage would it cause?” These questions will help you address where to focus your time and resources. For example, a temporary glitch in a non-critical scheduling tool is a low-likelihood, low-impact risk. On the other hand, the risk of a shared password being compromised for financial software without multifactor authentication is a high-likelihood, high-impact risk. That’s where you need to focus your attention.
Turn insight into action
Better questions lead to actionable steps. Once you have identified risks and gauged their likelihood and impact, it’s time to prioritize risks. Here are some high-risk areas to address:
Physical access
Physical access is often overlooked. The best place to start is where critical servers and network equipment are located. Limit entry to authorized personnel and consider implementing keyless entry systems that log who enters and when. Also think about environmental risks: crucial data your organization needs to function may be susceptible to fire, water damage, or overheating.
User access
Every user account is a potential entry point for unauthorized activity. Excessive or inappropriate access increases risk and undermines segregation of duties. For example, a user who can both enter an invoice and approve an invoice creates a vulnerability. The best way to prevent excessive access is to automate revoking access when an employee leaves or changes duties. If automation isn’t practical, make revoking software access a priority by adding it to your offboarding checklist with documented signoff so staff are held accountable to revoke access timely.
Data backup and recovery
Ask how your organization would recover from an outage or ransomware attack. Regular backups to secure locations are essential, with periodic testing to ensure they can restore operations quickly. Nonprofits increasingly rely on cloud service providers with disaster recovery plans, but these don’t eliminate risk entirely. Exporting critical data to local storage regularly ensures continuity in case of an outage.
Authentication
Authentication is about ensuring you know exactly who is entering IT systems—and keeping out those who shouldn’t. Shared passwords or weak credentials can open the door to fraud, data breaches, or stealthy infiltration. Use the strongest multi-factor authentication method possible and enforce strong minimum password policies when it is not available. Password-less methods, such as passkeys and biometric authentication, offer higher resistance to phishing attacks.
Cybersecurity
A cybersecurity policy sets the tone for accountability across the organization. It should define roles, responsibilities, access controls, backup procedures, and authentication requirements. Training is essential. Many vendors offer engaging training programs that include phishing simulations and skill assessments. Use reminders like phishing alerts in email systems and desktop backgrounds to keep security top of mind. Even small organizations without dedicated IT resources can assign a staff member to take charge of monitoring cybersecurity. Lastly, talk to your insurance provider about cybersecurity coverage. These actions combined create a culture of security.
Strengthening IT controls begins with asking better questions. Ask What could go wrong? Why would it happen? How would we respond? These questions don’t just spark discussion, they drive action. If you want to strengthen your IT controls, your Hawkins Ash CPAs representative would be a great resource.
