Computers are now the most common medium used to store key and often highly confidential information about operations, programs and personnel. The computer has also replaced most manual accounting ledgers. Securing your computer and the data stored within is essential. You should take a few minutes to review the controls of your electronically stored information to ensure your:
- computer systems are checked regularly to make sure they are free of computer viruses
- computers are safe from theft and from unauthorized use at your organization
- electronically stored information can be restored in the event of a computer disaster.
Computer viruses get a lot of nasty press these days. If you download information/files from the Internet, use shareware or pirated software, give unsupervised access to users, or use disks that were written by another computer then you are at risk of catching a computer virus. The impact of a virus can be as benign as leaving a message on your screen or as devastating as destroying all of your files.
Generally you won’t know a virus has invaded your system until its too late unless you have an up-to-date anti-virus program checking all incoming files. Computer vaccination programs are available commercially at reasonable prices and are easy to install. Electronic viruses mutate as quickly as their organic counterparts. You should therefore regularly install updates of your anti-virus software.
Theft and unauthorized use
Unfortunately, financial and other pressures on individuals can occasionally lead to theft of cash, computers or other assets within an organization. Regretfully most business thefts are carried out by people within an organization. You should review security controls over computer hardware and software (such as programs used to print cheques and donation receipts and to record transactions) to minimize the risk of theft and the attendant aggravation and effort involved in replacing the stolen property and/or data.
The points that follow should assist your Board and staff in carrying out a review of your organization’s computer system controls. The list is not exhaustive. It is intended to point out some of the issues you should consider.
- Develop a written policy on computer security. Policies help people understand the importance of maintaining the accuracy, completeness and security of electronic information. Writing policies can also help your Board and staff to focus on issues of critical importance.
- Use passwords to make sure only authorized users have access to your system. Passwords can control access to computers and can restrict access to specific information stored on the system (e.g. personnel files). Passwords are only effective if they are known only to those personnel given the authority to use them. Occasionally a person will share a password with others in the organization to speed up a task. Also, some employees paste their password in a public place so that they won’t forget it. (Our favourite is the post-it note on the computer monitor). This sharing of passwords can: lead to confusion as to who has worked on a project; allow a person to make changes when he/she is not normally authorized to do so; allow the unauthorized loading of software which could contain a virus or simply be undesirable/inappropriate.
Passwords should always be changed when any person who has the password no longer works with the organization.
- Promote high employee morale. Some computer losses result from the actions of disgruntled employees. When staff feel they are dealt with fairly there is less threat of unauthorized use of an organization’s assets and computers and fewer acts of vandalism.
Financial strain has a direct impact on the resources available for staff remuneration. This is especially true in service organizations where staff costs are often the highest expense. Where funds are very tight you will need to promote high morale through creative recognition and reward schemes using non-financial benefits.
- Know the areas of potential input and processing errors in your systems. Most organizations use purchased software packages. Financial and other commercially available packages ordinarily have checks and balances built into them to ensure accuracy of information entered and processed. Some packages, including many commercially available donor database programs, are designed for maximum flexibility and present an increased opportunity for errors to occur. You should review your systems to understand how and where errors could occur and then develop adequate controls to ensure errors either do not occur or are caught before affecting reporting. Management should always review summarized data to ensure it makes overall sense.
- Hosting a website or an Internet domain on your in-house computer system can provide hackers with access to your stored information. As few not-for-profit organizations host websites on their own computer systems this is generally not a concern. Hosting a website or a domain on your Internet provider’s system does not expose your organization to any increased risk to unauthorized access by external users.
- Make sure clear transaction trails exist. Commercially packaged programs often have a built-in log that tracks who accesses the system and dates work as it is entered. The ability to review and trace when and where transactions are entered can be useful. For instance, if a person entering information is interrupted then he/she needs to be able to determine where to pickup entering data. In this case a data entry log will help to avoid entering data twice or not at all. A data entry log is also essential to investigate suspected cases of fraud.
- Ensure entries can be traced backwards and forwards through the processing cycle. This is referred to as having an audit trail. Your electronic records should contain sufficient detail to allow for transactions to be traced to the relevant individual, funder, supplier and employee. You should also be able to trace the entry through to supporting documentation such as invoices, payroll records, bank deposit books and cancelled cheques.
Recovery of Electronically Stored Information
If your computer is stolen or damaged you will need to reconstruct your data files. The easiest way to do this is to restore from a recent backup of crucial files. Backups should be made weekly or monthly, depending on the volume of transactions in your organization. Establish and document policies for how often backups are to be carried out, where backup files are to be stored and for how long.
For larger organizations, a second computer on the premises can be used for short-term backup. Information can be copied to it on a daily or weekly basis. If the main computer crashes then the second one provides a quick backup source and only a day or a week’s worth of data need be restored. An offsite backup of key information should still be maintained in case both computers are damaged in a fire or flood.
It is important to know the costs that would be involved in reconstructing data in case of a loss. Most organizations know the importance of keeping backup copies of financial data. However, other pools of data may be more costly to reconstruct or you may not be able to reconstruct them at all. Donor and medical record databases are two examples of information that could be very difficult to reconstruct. Your Board should ensure that all significant pools of data, including financial records, are backed up on a regular basis and the backup kept off-site.