Addressing each of the questions included here, as well as those that were included in my last column on board governance practices, will be of current and future value to your organization. In this column, I continue the list of best practices that every tax-exempt organization’s management and board should have or may need to address. The topics covered in the area of information technology controls as well as government regulatory compliance seem to appear in the news media on a weekly basis.
The questions below are structured so that any “no” answer requires some degree of follow up or corrective action on the part of management. Specifically, with respect to each question, its applicability to your organization will depend upon whether or not the corrective action is practical in relation to your organization’s services and budget size. In addition to being practical, the corrective action implemented must be Scalable, Affordable, Feasible and Enforceable. I believe the practical and SAFE acronym should be applied to all policies and procedures, other than those required by laws and regulations. Our firm and specifically the IT department have presented a number of seminars on the topics of information technology privacy and security controls. In attending these seminars, I was motivated to provide the following list of best practice policies and procedures in this column.
However, since I am not a technology wizard, but more appropriately labeled as a dinosaur, I decided to meet with two of my IT partners, Carl Cadregari and Charlie Wood. I wanted to be sure that rather than offer 101 best practices that would overwhelm your IT personnel and infrastructure, I wanted their focused recommendations with respect to their Top 10 best practice areas. The results of that meeting and discussion produced the following recommendations in the form of questions:
- Does the organization maintain an IT hardware and software replacement plan?
- Does the organization have an annual IT work plan?
- Does the organization perform internal and external penetration testing on a periodic basis, annually or more frequently using external professional consultants?
- Does the organization audit key and critical vendor compliance to the data security and privacy laws it must meet?
- Does the organization have the necessary software to document attempted unauthorized access to its IT network and applications, commonly known as SIEM (security information and event management)?
- Does the organization back up its key software application files on a daily basis and store the backup files in an off-site location?
- Does the organization have a well-documented and practical disaster recovery plan that is tested in order to verify that the backup and restore function is functioning properly?
- Does the organization have a cyber liability protection rider on its general liability policy?
- Does the organization periodically test for employee compliance with its policy to prevent unauthorized access to its network and software applications? This testing is periodically required to minimize the risk of unauthorized hacking from outside parties that involves increasingly sophisticated techniques.
- Does the organization have effective data encryption for confidential data everywhere it resides (including smart phones) or is in transit (i.e., emails)?
In addition to the meeting with Carl and Charlie, I also met with Paul Mayer and June Crawford, the experts in our regulatory compliance practice group known as compliance solutions. I asked them for their concerns related to compliance with laws and regulations. They provided the input that follows.
- Has the organization’s compliance officer been diligent in preparing an annual audit work plan that is reviewed by senior management and the audit committee?
- Has senior management completed an organization-wide risk assessment that has adequately identified both internal and external risk factors?
- If the answer to the question above is yes, has the organization’s management confirmed that all risks, as appropriate, have been addressed in the annual compliance work plan or some other internal control process?
- Has the organization been diligent in obtaining business associate agreements from all vendors, consultants, and professionals that provide service to the organization and may have access to protected health information?
- Does the organization, subject to Medicaid compliance requirements, diligently complete the OMIG compliance program effectiveness review self-assessment?
- Does the organization, subject to Medicaid compliance requirements, submit the required annual regulatory compliance attestation report to the OMIG each year?
- Does the organization have sufficient documentation regarding cost allocation procedures in compliance with the cost reporting regulations of its various funding sources?
- Do the organization’s program activities and services match the defined mission of the organization as reported on its IRS Form 1023 application?
- Regarding the organization’s retirement plan, have any and all amendments been reviewed by legal counsel to document that the amended plan is compliant with DOL and IRS regulations?
- Does the organization’s compliance officer meet with the appropriate board committee in executive session on an as-needed basis, but no less than twice each year?
The best defense is a good offense. While the best practices referred to above are certainly not all-inclusive, conducting a review of these areas, with appropriate modifications, will certainly enhance the protections that tax-exempt organizations need to address in the era of technology revolution.
Gerald Archibald is a partner serving both of our Rochester, NY, and New York City offices.