Q: What are best practices that both the club Audit/Finance Committee and club employees should follow to make sure internal controls are protecting against cyber attacks?
A: It almost seems commonplace when reading or listening to the news that some major corporation has fallen victim to a cyber attack. The reporting typically touches on how many potential individuals or accounts have been exposed and what the organization is doing to notify potential victims and remediate the issue. Cyber attacks don’t just happen to big companies, a large number of small businesses—including clubs—have fallen victim to cyber attacks. Typically these attacks go unreported.
Today’s conversation with Audit/Finance Committees regarding internal controls at clubs now includes what are best practices being employed by clubs to protect against cyber attacks.
Cyber attacks can and have impacted clubs in a number of ways ranging from unauthorized banking transactions to network lockdowns requiring in some cases a ransom.
As auditors, one area of considerable focus is a club’s cash accounts and a club’s controls over them. Auditors test a number of control areas including authorized signors, check signing policy, bank reconciliation process and timing of completion as well as officer review of bank statements and reconciliations. One of the important elements of completing bank reconciliations and reviewing bank statements on a timely basis is to uncover potential forged checks or unauthorized transactions. The notification process to the bank is vital to recover monies. Generally a club has 30 days from the statement date to identify such transactions and inform the bank. However, please keep in mind notification requirements may vary by bank and by state. The club’s banking agreement typically will specify the time requirements for reporting.
Over the past decade, clubs have begun to request more confidential information from members and/or potential members than ever before. The information can range from credit card/bank account numbers for payment processing to social security numbers for background checks. As clubs increasingly store this confidential information on their internal servers or the cloud, the need to properly protect data is abundantly clear.
In order to help secure club data, a number of clubs have been conducting a “vulnerability assessment.” The comprehensive study, usually performed by an outside company, touches on areas such as antivirus software and firewall programs and keeping these software(s) up to date, educating employees on the proper use of the club’s computer network and making sure employees aren’t accessing the wrong kind of websites, implementing formal software security policies (password protections) and action plans in case of a data breach.
Clubs also have been purchasing cyber insurance to mitigate their risk exposure. General liability insurance policies typically will not cover losses or legal fees from a data breach, so ensuring the club is protected in the event of a data breach will be extremely beneficial. It is important when considering this coverage to work with the club’s insurance agent to ensure that the club is properly covered.
While it’s virtually impossible to keep the club completely safe, it’s important to consider implementing protections and protocols to mitigate the potential impact of a cyber attack.
Daniel T. Condon, CPA, and Matthew P. O’Dell, CPA, are partners in the accounting firm of Condon O’Meara McGinty & Donnelly, LLP, which provides consulting, auditing and tax services to more than 325 private social clubs in 14 states. Dan and Matt can be reached at 212.661.7777. Learn more at www.comdcpa.com.