Our Fraud Awareness in the Church series continues as we look at Information Technology Security. We asked churches to respond to these statements:
“Our church has a formal information technology security plan.”
“Our church financial secretary or accountant/bookkeeper has access to all modules of the church’s software system.”
Churches struggle to keep up with the challenges of the rapid change in information technology. Even when they want to address the issues in the two questions above, the workload crush of most churches makes it very difficult to stop the train long enough to develop a good IT plan. This is clearly (to me) reflected in the:
Survey Results: Only 50% of the participants have implemented a formal information technology security plan.
In another indicator of the impact workload pressure has on fraud protection, a whopping 80% of the churches surveyed confessed that their accountant/bookkeeper had access to ALL of their church’s software applications.
In the vast majority of churches this large degree of “trust” is placed in the hands of very good people and a problem never arises. But if, just once, a church employs an individual given to theft and gives him or her this much access…trouble is probably just around the corner.
In PSK’s Faith Based Accounting Blog I posted an article titled “Taking IT for Granted”, where I addressed this issue. The following are a few questions each church should ask itself when developing strong IT controls:
- Does our church have a formal Information Technology security plan?
- Do any individuals at our church have access to all modules of the church’s software system?
- Does our church partition its computer applications so that employees and volunteers have access only to files necessary to perform their duties?
- Does computer access require passwords that are confidential and unique?
- Are our passwords changed periodically?
- Are passwords complex including alpha, numeric and case sensitive characters?
- Do we have backup procedures that are performed regularly that include off-campus storage?
- Do we have measures in place to protect the church from malware?
- Do we train our employees to avoid accepting email from unknown locations?
- Do we have a download policy?
- Do we maintain separate public and private wireless networks?