Transcript Document
STRONG POLICIES AND INTERNAL CONTROLS – SAFEGUARDING YOUR RESOURCES, AND YOUR REPUTATION Maria Falvo Chief Operating Officer American Savings Foundation Bradley P. Lusk, CPA Managing Partner Sisterson & Co. LLP Deborah Shinbein, Esq. Certified Information Privacy Professional Data Law Group, P.C. Scholars Say Promised Money Didn't Come December 08, 2013| By MATTHEW KAUFFMAN And VANESSA DE LA TORRE, Hartford Courant Background article on this story. Best Practices • Establish an independent audit committee. • Conduct an annual audit. Remember – auditor should • • • • • • report to audit committee, not to staff. Respond to all audit findings and recommendations. Conduct a formal annual review of top management. Adopt and review policies and procedures. Decide which should receive annual board approval. Regularly communicate policies and procedures to staff through an employee handbook, regular staff meetings. Provide regular education to board related to governance, compliance, policies and procedures. Perform a risk management review. New Challenges in a Digital Age Data in many formats and locations Laws vary from state to state Policies needed for protection from liability (and compliance) • Website terms of use – and other online concerns • Privacy / use of personal information policy • Data security policies (WISP, AUP, BYOD, more) • Data retention/destruction policy • Breach preparation/response policy New Challenges in a Digital Age (Cont.) Data security tips: • Oversee third party providers: • Screen carefully – 3rd party certifications, due diligence • Contracts - include security requirements, audits, warranties, indemnification, breach response, termination provisions, and more • Encrypt data in transit and at rest; SSL when appropriate • Implement access controls, strong passwords • Test your security measures (tech penetration, human errors) • Update antivirus, system patches, etc. regularly • Back-up frequently, specify approved use of cloud providers • Don’t collect more than needed or keep longer than necessary Our experience – what works • Work with your auditor to get the most out of your annual audit. Together, look for opportunities to strengthen controls. • Make sure annual review of policies is not simply pro forma. • Document, review, update and follow procedures for all key activities. • Consider additional challenges for a small staff. • Never be satisfied. Test your assumptions. Contact information Maria Falvo Chief Operating Officer American Savings Foundation 185 Main Street New Britain, CT 06051 [email protected] 860.827.2556 phone 860.832.4582 fax Bradley P. Lusk, CPA Managing Partner Sisterson & Co. LLP 310 Grant Street Suite 2100 Pittsburgh, PA 15219 [email protected] Phone: 412.281.2025 Fax: 412.338.4597 Deborah Shinbein, Esq. Data Law Group, P.C. 3700 Quebec Street Denver, CO 80207-1639 [email protected] m Phone: 303.997.1325 Fax: 303.796.7203