Information Technology

Information Technology Risks

 

 

 

 

 

 

 

With non-profits and governments having a more prominent place in the digital world, it is critically important for organizations to assess their information technology risks. Cyber crimes are not only impacting large public organizations but also smaller entities such as local municipalities and grassroot non-profit organizations.  In addition, for organizations that have adapted their operations to a remote environment, there are additional risks. We have several recommendations and tips your organization should consider implementing in the next twelve months to improve security protocols at your organization (if you have not done so yet).

  • Evaluate your IT service provider. Does your organization contract out its IT services or does your organization have in house IT? If your IT services are performed in house, is there sufficient knowledge residing within your IT team, and is the workload manageable for them? If you rely on contracted services, is there an official agreement with the third party?
  • Evaluate specific risks relevant to your organization. Do you accept online credit card payments? Are these transactions stored and processed on site versus a third party payment processor? Is your organization required to follow the Health Insurance Portability and Accountability Act (HIPAA) to protect sensitive patient health information?  There are also additional qualifications necessary for educational and financial institutions.
  • Evaluate your accounting software in terms of whether operations are automatic or manual, who has access to the software, documentation of rights to the software and the review of those rights. Evaluate your overall network security and individual application security.
  • Evaluate your access controls. (Access controls is a component of data security that dictates who is allowed to utilize your organization’s information and resources.) Authorization access controls have the goal of ensuring that the person seeking access is authorized, most often done with login credentials. Basic authentication controls ensure that those in possession of the authentication key (user name and password) can access your systems. Enhanced authentication controls ensure that the person who is accessing your data is not only authorized to access your data but also ensures they are who they say they are.  Enhance authentication controls can be obtained by using dual factor authentication. Did you know that internal personnel are responsible for just as many security incidents as outsiders? Employees should only have need-to-know access to be able to do their jobs and nothing more.
  • Is your organization following the NIST (National Institute of Standards and Technology) Guidance on passwords? To be reliable, passwords should be: a minimum of eight characters, be a mix of lowercase letters, uppercase letters, numbers and special characters to increase the strength of the password, there should be an automatically logoff or timeout due to inactivity, lock out of the account after three failed attempts (the duration of the lock out should be around 60-90 minutes to frustrate hacker attempts, and it could be indefinite for more sensitive accounts requiring reestablishment of credentials), and the account should be removed or disabled for terminated employees’ credentials in a timely manner. There should also be a segregation of duties, so that the person responsible for password policies, settings, and configurations should not be entering data or having access to applications.
  • Evaluate your organization’s determination of access (is it the data owner or IT?) What about level of access? Is it role based or ad hoc? Structured access is best practice and exceptions should be minimal. A review of those who have access should be performed on a yearly basis at a minimum.
  • What about your organization’s server and network operating system? Shares of the server should be examined and used sparingly/judiciously with rights to the server restricted for each group and user. Vendors should have read only and temporary access to maintain/debug the server. Be certain to sanitize default account credentials.
  • What about your organization’s ability to recover from an adverse event over the IT infrastructure? These impacts can affect your organization from an environmental, physical, internal, and malicious standpoint.  The Recovery Time Objective is the maximum acceptable delay between interruption of service and restoration of service. The Recovery Point Objective is the maximum acceptable amount of time since the last data recovery point. Evaluate how long your organization can afford to be down.
  • Does your organization have cyber security insurance? Insurance will cover losses in the event of an adverse event, though this insurance can be cost prohibitive for smaller non-profits and governments, and not all events are covered. You can lower your insurance costs by implementing a strong password control policy, including dual authentication, and encrypting sensitive data and personally identifiable information. Lastly, control the number of records you access, store and transfer – don’t store PII (Personal Identifiable Information) and consider using a third party to store credit card information.
  • Does your organization back up its data through full back ups and incremental back ups? Since backups are critical to the disaster recovery process, evaluate who performs them and where these backups are stored.
  • Evaluate your organization’s security protocols. For software security, are patches and updates automatically applied? For network security, evaluate your firewalls, routers, intrusion detection, and data encryption. Evaluate your organization’s cyber security training practices.
  • Do you have effective IT governance? Is there an IT Committee on your organization’s Board of Directors?
  • What about the practices of your vendors? Have there been any security issues at the vendors you work with, and has your organization been made aware of any cyber incidents? If you outsource your payroll for processing, investments and health insurance, you should evaluate if their controls are working appropriately and if you have the controls at your organization to ensure that the third party is working correctly. You should obtain, review, and understand the third-party organization’s controls, and any issues should be reviewed by Management, and they should ensure complimentary controls are in place. Your auditors will request Service Organization Control Reports. An SOC 1 Report provides information about the controls at a Service Organization that may directly impact its financial statements. An SOC 2 Report provides information about the suitability of the design and controls at the Service Organization relevant to security, availability, processing integrity, confidentiality, or privacy. An SOC 3 Report provides the auditor’s opinion on whether the Service Organization maintains effective controls over its systems and is typically intended for users who do not require a more thorough report.

We understand the list of items above is quite extensive and for many public agencies with limited financial resources, it may not be feasible to implement all of these practices due to budgetary constraints.  However, several of these items do not require any additional spending at all, but an overall commitment to investing the time needed to pay attention to critical security areas.  We encourage you to implement the protocols that make sense for your organization with respect to your size, goals, and operations. If you have any questions regarding IT risks at your organization, please contact a member of your audit team.

COVID-19

Calculation of Lost Revenue for Institutions of Higher Education

The Coronavirus Response and Relief Supplemental Appropriations Act of 2020 (CRRSAA) included a provision to allow Institutions of Higher Education (IHEs) to reimburse themselves for lost revenue due to the coronavirus pandemic. Many IHEs have questions on what is considered lost revenue as well as how lost revenue should be calculated and supported. The Department of Education (ED) has issued an FAQ that answers many of the questions put forth by IHEs. The IHEs must now decide which calculation method to utilize to support lost revenue at their respective institutions.

Definition of Lost Revenue

Due to some difficulty in determining exactly when revenue declines occurred during the pandemic, the ED noted that any lost revenue starting March 13, 2020 (the date of the disaster declaration) can be claimed as lost revenue. Since the CRRSAA was written into law on December 27, 2020 and made retroactive, an IHE could go back to March 13, 2020 and recalculate all of their lost revenue. They could apply that lost revenue to the Higher Education Emergency Relief Fund (HEERF) 1.0 or HEERF 2.0 funds. This would be recorded on the June 30, 2021 Schedule of Expenditure of Federal Awards (SEFA).

Lost revenue includes academic sources such as tuition, fees, institutional charges, room and board, lost research money, summer terms and summer camps. Auxiliary revenue includes cancelled events, which would include events that were scheduled, but cancelled because of the pandemic or yearly events that are held, that could not be held because of the pandemic. Auxiliary revenues would also include food service revenue, dormitory services, childcare services, use of facilities or venues, bookstore revenue, parking lot revenue, lease revenues, and royalties.

There are some revenue streams which are specifically not allowable under the lost revenue calculation. These revenue streams include capital outlays associated with athletic facilities, acquisition of real property, contributions or donations to the institution, marketing or recruiting activities, revenue related to sectarian instruction or religious activities, alcohol sales, and investment income.

Calculation of Lost Revenue

The FAQ gives specific methods to calculate lost revenue that the IHE has incurred during the pandemic. The IHEs must be consistent with the cost principles of the Uniform Guidance; therefore, any calculation must be consistent in the treatment of all revenue streams, meaning once you select a method that method must be applied to all revenue streams. The IHE should also ensure that the amount of lost revenue for the HEERF program is not included in the calculation of lost revenue for another federal program (double dipping). Also, if the institution refunded money to students and paid those refunds through HEERF, those refunds cannot be included in the calculation of lost revenue.

The following are the five methods to calculate lost revenue. It is important regardless of the method chosen, that there is adequate documentation for the amount of lost revenue the IHE is claiming and drawn down from the G5 system.

  • A year over year comparison using the prior year;
  • A semester-over-semester comparison using the prior year semester Fall 2019 vs Fall 2020;
  • A comparison using a 3 or 5 year combined average revenue as baseline revenue;
  • A comparison to previously budgeted revenue or projected revenue for the period; this would not include an adjusted amount after the pandemic occurred;
  • A comparison with a baseline year of a fiscal year prior to the March 13, 2020 national emergency declaration, such as the fiscal year from July 1, 2018-June 30, 2019

To determine which of the above methods is most beneficial, an institution not only has to think about tuition and fees but should also take into account auxiliary enterprises especially if those revenue streams are material. Ultimately the IHE must decide which calculation to utilize and then apply that calculation to all revenue streams to reimburse itself for lost revenue. IHEs should also keep in mind the earmarking requirements included in HEERF 1.0 and HEERF 2.0 that must be met at the end of the grant period. These include total student expense in relation to total institutional expenditures. If an institution does not believe it will expend a sufficient student portion, it should adjust institutional expenditures considered or risk having to return some of the HEERF 1.0 and HEERF 2.0 funds. Please contact us if you have any questions.