July 30, 2024

In response to growing IT and cybersecurity risks, auditors are placing greater scrutiny on IT risk and risk controls in their audit process. The Auditing Standards Board issued a new Statement on Auditing Standards (SAS 145) that provides a more detailed risk evaluation framework and takes effect for all audits ending on or after December 15, 2023 (read more information here). The auditing standard places an emphasis on the organization’s ability to identify, evaluate, and mitigate risks, specifically risks relating to the use of information technology, and many nonprofit organizations are discovering that they are not adequately prepared to meet the new standard.

Challenge

A $20 million nonprofit organization with global operations received a recommendation from their auditors in the 2023 financial statement audit, identifying deficiencies in IT risk controls. Specifically, the organization lacked a formalized IT risk assessment framework.

Like many nonprofits, they use software-as-a-service applications to support critical organizational functions such as program management, donor management, accounting, email, and file sharing. Cloud-based third-party vendors adhere to security standards; however, leadership realized they needed to improve their protocols and adopt more stringent IT security practices to meet the new SAS 145 standard.

To ensure an unbiased review of their current processes and to avoid undue burden on their IT staff, the organization sought an outside risk assessment consultant. After a review of several capable vendors, they chose GRF’s Risk & Advisory team, primarily because of GRF’s risk assessment expertise working with nonprofit organizations.

During the planning process, GRF identified several challenges that the organization faced:

  1. Informal and inadequate IT risk assessment process.
  2. Insufficient policies and procedures relating to IT security.
  3. Inadequate processes for continuous improvement and assessments.

Solution

To address these IT challenges, the GRF team conducted a risk assessment that covered the following areas:

1. Asset Identification & Open-Source Threat Intelligence Scan:

Conducting an OSINT scan identified publicly identifiable assets, potential risks, and mitigations.

2. Baseline Risk Assessment & IT Framework Benchmarking:

This step assessed current assets, documentation, and processes against the ISO 27001 (Annex A controls) IT framework to identify gaps and risks. GRF chose this framework due to its holistic approach to information security.

3. Current State Analysis:

GRF identified key risk areas and gaps, including:

    • Lack of end-user awareness and formal training programs.
    • Absence of cyber risk management policies.
    • Inconsistent security controls, such as lack of MFA, access rights to applications and data security.

At the conclusion of the assessment, GRF provided the organization with tools for implementing recommended IT security policies, baseline controls from the ISO 27001 security framework, and a cybersecurity awareness training program for its employees.

They also prepared a roadmap for implementing the recommendations to meet SAS 145 requirements and evaluate IT risks. The roadmap outlined short, medium, and long-term cybersecurity goals. Immediate goals include implementing multi-factor authentication (MFA) and security training, while longer-term goals focus on policy and procedural development.

Results

After the comprehensive IT assessment, the organization now has the tools and plans in place to better mitigate risks to their IT infrastructure. Moving forward, they have enhanced their risk management and cybersecurity posture while conforming to the requirements of the new accounting standard.

GRF Can Help

IT and cybersecurity risks are changing daily, so your organization must be agile and adaptive to counteract the new risks and threats. Contact us discuss your SAS 145 concerns and conduct an IT Risk Assessment for your organization, or reach out to our experts below.

Mac Lillard, CPA, CIA, CFE, CISA, CRISC, CITP

Senior Manager, Risk & Advisory Services

Darren Hulem

Darren Hulem, CISA, CEH, Security +

Risk & Advisory Services Manager

GRF - Tom Brown

Thomas Brown, CISA, CIA, Security+, CAPM

Senior Analyst, Risk & Advisory Services