Menu Icon
https://www.sikich.com

How better IT governance builds trust in not-for-profit operations

INSIGHT 7 min read

WRITTEN BY

Sikich
Not-for-Profit Risk

A not-for-profit that jeopardizes trust will find itself significantly compromised. Donors, grantors, board members and regulators all expect accurate, secure and transparent financial information. Weak IT controls can lead to financial misstatements, data breaches, operational disruptions and irreversible reputational harm. Yet many not-for-profits have small IT teams or outsourced providers that struggle to maintain the IT controls needed for real security.

Information technology general controls (ITGC) is the guardrails system not-for-profits need. The truth is that strong IT controls don’t require big budgets and complex control frameworks. They require clarity, consistency and focus on the areas of most impact, which ITGCs provide. 

This article will explain what ITGCs are, the five core functions they must perform, and how to implement them.

Access to programs and data: controlling who holds the keys

In the physical world, we all obviously see the need to lock doors, whether they’re to our homes, cars or office buildings. We’re also not keen on giving these keys out to others. These dynamics – and the associated caution – should also hold true for digital systems and sensitive data. Unauthorized access is one of the most common causes of fraud, data breaches and audit discoveries.

  • Make an approval process for adding new users and changing current users’ access level.
  • Immediately remove access when someone leaves the organization, or their access need stops.
  • Review all user access at least annually. Pick a predictable time and set reminders.
  • Limit administrator access to those that truly need it.
  • Use strong authentication (e.g., password complexity standards, MFA, lockout settings).
  • Segregate duties so no one person can initiate and approve the same transaction.

Common mistake

The most frequent issue auditors flag is the failure to remove access for former employees or vendors. Embedding this action into the termination checklist is an easy fix.

Change management: Ensuring system changes don’t cause new problems

Change management, the processes that governs system changes to prevent errors or unauthorized actions, can cause problems if not done carefully. Even small system upgrades that aren’t tested can break financial reporting or disable other controls.

  • Create a documented process for requesting and approving system changes. For smaller organizations, this may fall to the Executive Director, Board, or similar role. The approver should understand the reason for the change, the steps involved and the expected impact.
  • Test and validate all changes before they go live. Keep development, testing and production environments separate.
  • Require management approval before moving changes into production.
  • Maintain document version control and keep documentation of all changes.

Common mistake

Releasing changes prior to validating them is a common mistake organizations make. Independently confirm before making changes such as a vendor or bank account details change.

Computer operations: keeping systems reliable

Computer operations serve as the controls that fully and accurately process data, run systems and reliably back them up. When these systems are interrupted, data loss can delay payroll, donation processing can be disrupted and key financial information can get compromised.

  • Organizations should schedule system jobs and monitor them regularly, including any batch processes and system interfaces.
  • Staff should review any processing errors or exceptions and resolve them promptly.
  • Maintain reliable backup and recovery procedures for all key systems and data.
  • Monitor system performance and capacity to identify issues before they impact operations.
  • Create incident and problem management processes to track issues, escalate them when needed and ensure they’re resolved.

Common mistake

Many organizations are confident in their IT backup capabilities but have never tested their ability to recover. Periodically testing backup and recovery capabilities is critical for resilience in case of system failure, breach, ransomware attack or an interruption caused by a third-party.

Program development: creating systems the right way

Program development is the system of controls that guide how new IT systems or major upgrades are implemented. Poorly designed or implemented systems can introduce errors, control gaps and compromised financial information accuracy.

  • Use a formal system development life cycle (SDLC) or another structured methodology to guide new system implementations and major upgrades.
  • Ensure that management reviews and approves system requirements and design specifications before development begins.
  • Conduct thorough user acceptance testing (UAT) and obtain sign‑off before the system or enhancement goes live.
  • Incorporate control features such as input validation, audit trails, and proper data flows into the system design from the start.
  • Confirm that new financial applications or enhancements correctly integrate with the general ledger and other key systems.
  • Engage qualified internal staff or external experts to support the implementation when internal bandwidth or expertise is limited.

Common mistake

A frequent mistake is implementing new systems or enhancements without a structured review and testing process. This often leads to errors in financial reporting, such as misstated revenue or misclassified donor restrictions. Many organizations also underestimate the time and expertise required for system implementations, which increases the risk of control failures and data integrity issues.

IT system security and infrastructure: staying safe

System security and infrastructure refer to the technical and operational safeguards that protect an organization’s systems and data. These controls ensure that financial information remains secure, available and protected from unauthorized access or loss. Without strong security and infrastructure controls, even well designed application or process level controls can be overridden, bypassed or compromised.

  • Organizations should apply security patches and address vulnerabilities promptly to reduce exposure to cyber threats.
  • Servers, databases and applications should follow established security configuration standards to ensure they are set up securely.
  • Security events should be monitored, and alerts should be reviewed so that suspicious activity is identified and addressed quickly.
  • Physical and environmental safeguards should be in place to protect data centers and critical equipment from damage or unauthorized access.

Common mistake

A common mistake is failing to apply security patches in a timely manner or relying on outdated server configurations. These gaps can expose donor and financial information to cyberattacks or system outages. A single ransomware incident or network intrusion can disrupt accounting systems, delay financial reporting and compromise sensitive data.

Bonus: IT governance and oversight

IT governance and oversight provide the foundation for all IT general controls. They define the policies, accountability structures and review processes that guide how technology is managed across the organization. Strong governance ensures that IT risks are handled consistently, responsibilities are clear and controls are designed and executed effectively. Weak governance often leads to inconsistent control performance, unclear ownership, and recurring internal control deficiencies.

  • Organizations should clearly define roles and responsibilities for IT functions and control owners so that accountability is understood.
  • Written IT policies and procedures should be established, maintained and updated regularly to reflect current practices and risks.
  • Leadership should conduct periodic reviews to assess whether IT controls are operating effectively and address any gaps identified.
  • IT risks and remediation efforts should be reported to senior leadership or the audit committee to ensure visibility and oversight.

Common Mistake

A common mistake is operating without clear governance structures, which leads to inconsistent execution of IT controls and unclear ownership of key responsibilities. This often results in control failures that affect financial reporting, data security and overall organizational trust. Strong governance helps not-for-profits maintain reliable systems, protect sensitive information, and reinforce the transparency and integrity that donors and stakeholders expect.

Review our governance and compliance and not-for-profit services to learn how we can help secure your not-for-profit organization.

About our authors

Steve Randall, MBA, is Sikich’s Governance, Risk & Compliance leader, and has over 30 years of management and consulting experience with specialized skills in project management, operational efficiency, and conflict resolution. Steve also possesses a depth of knowledge in business management, risk and internal controls. He provides independent counsel, identifies core issues, develops strategic solutions and offers leadership to clients facing challenges.

Leary Morris, CPA, is a director on the not-for-profit services team at Sikich. Leary has extensive public accounting experience working with social services organizations, membership organizations, private colleges and universities, Title IV schools and more. In her current role, she oversees engagement teams, working directly with staff members and alongside clients.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

CONTACT
Author

Sikich is a global company specializing in technology-enabled professional services. With more than 1,900 employees, Sikich draws on a diverse portfolio of technology solutions to deliver transformative digital strategies and ranks as one of the largest CPA firms in the United States. From corporations and not-for-profits to state and local governments and federal agencies, Sikich clients utilize a broad spectrum of services* and products to help them improve performance and achieve long-term, strategic goals. *Securities offered through Sikich Corporate Finance LLC, member FINRA/SIPC. Investment advisory services offered through Sikich Financial, an SEC Registered Investment Advisor. 

Sikich

WHAT'S NEW Related Insights