Ai-Media Transcript -FISCAL_OVERSIGHT_FOR_IL_LEADERS_COHORT_WEEK_3 (English) AUG_12_2025 Live Captioning by AI-Media TYLER MORRIS: Hi, everyone. Welcome. We are going to allow a few seconds for folx to keep joining in. Take this time to introduce yourselves in chat. It's good to have y'all. I see some other folx joining in. All of you that are joining, go ahead and introduce yourself in the chat. We have a lot of material to go through. My name is Tyler Morris, I am the director of training at the independent living Training and Technical Assistance Center. Today, we're going to be discussing our third and final topic in our second cohort of - 'Controls over Federal Compliance August 2025'. Before we begin, let's get - with accessibility, we have both of our ASL, Spanish interpreters are available in English interpreters are available. You can access them as well as closed captioning by using the bottom bar of your zoom window. Today is time for y'all to ask questions and for us to keep track of those. We ask that you either raise your hand during the presentation or afterwards, or use the chat feature. Please, remember to state your name before speaking, since we are working with our interpreters and captioning today. And also, our team is available for you in the chat feature. All of them are labeled with IL T&TA center, if you experience any accessibility issues or the difficulties with today's call. And as always, we ask you to take some time to complete the survey at the end of today's training, so we can get some feedback from you. And I am curious, since we have the chat hope open, how many of us have attended all three of our fiscal oversight for IL leaders. Do we have anybody who has joined us all three times to make all three sessions? You can use the chat. Abby's got her hand up! Okay, and another handout for 1715… Welcome I'm glad you have all stuck around for all three sessions and this session is going to be another one that I hope you will learn from. Our learning objectives for today are walking away with understanding of the requirements for controls over federal funds, how to document your controls and be sure they are followed, understand how internal controls ensure adherence to federal requirements and lastly, how to protect your self from cyber threats. So, without further ado, I'm going to green two dues are two presenters today. Paula McElwee and John Heveron who will be leading us in today's discussion. So, please keep the chats coming in the questions coming as we go through the presentation we will go ahead and get started. PAULA L McELWEE: Thank you, Tyler. This is always a fun one. Go ahead to the next slide, that is fine. This is always a fun one because we are talking here about the requirements in the law around what you can and can't do with federal dollars. So, we're going to talk about some of the ways that you can make sure that things are handled properly. So, John, do you want to lead us off? JOHN HEVERON JR: Sure, thanks, Paula. So, we've got the objectives listed here. Ensure financial statements and federal reports that you prepare are proper and accurate. Make sure that you have proper checks and balances, keeping track of and protecting your assets, show you are following the federal rules and grand terms, and protect personal and confidential information. So… And the next slide. We will get into the specifics. So, some of the compliance requirements that exist out there and may apply to your programs and actually, some of these virtually always apply but they include things like, well what activities are allowed? What costs are allowable or more importantly, unallowable? Cash management, that is the timing of draws, if you're taking advances, how quickly that money needs to be spent. Eligibility of the people that you served - who is eligible. Any matching requirements you have, that's really not an issue for most programs. PAULA L McELWEE: Not for the most part, although all of the centers are supposed to do resource development and sometimes, there is a matching requirement with some of the resources they create. JOHN HEVERON JR: Okay. PAULA L McELWEE: Also want to mention John that the first part about the grant numbers, we went back and forth in emails but this just came up and that state cited a center because they couldn't identify greater numbers for the grant they had and is actually required in the regulations that you do. So, I plugged it in there at the last minute so I would forget to be mentioned. You should know the grand numbers, it's in your grant award and you should be able to track that. Often, that is part of the title in the accounts or the, you know, actual grants, income resources but captured someplace because you might get asked. (Laughs) JOHN HEVERON JR: Alright in the other potential relevant compliance requirements is for period of performance. So, when you're carrying on activities and then, what reporting you have to provide. And then, some specifics on the next slide. So, not all of these will tie to all of your funding sources, although most of these generally do apply. Activities that are allowed or on aloud, allowable costs, unallowable cost, cash management, it really always applies, eligibility and period of performance, when it incurs cost. So, when any of these are direct and material to your federal funding, then you have to document that you have control over these and that's why this is so important, is this program here. Direct means it applies to a specific program or activity you are carrying on and material means it is significant enough to influence decisions, or outcomes, or to create an exposure – a potential liability. So, do you always know what grant you are applying cost to and are you consistent? You should be and Paula, this is probably the third time we said the same thing but is so important. PAULA L McELWEE: I know, but it needs to be said again (Laughs). JOHN HEVERON JR: Right and you need to track that right at the time you incur the cost. Going back and trying to redo it… PAULA L McELWEE: It makes it (Laughs) JOHN HEVERON JR: First of all, you are doubling the amount of time that you spent and secondly, it is subject to uncertainty. So, you've got some risk of errors. PAULA L McELWEE: Yeah and the tendency that some centers have to, for cash flow purposes so you can draw your federal funding down more quickly and you can get your state funding or vice versa, depending on your situation but because of that, sometimes there is a tendency to change the funding source for a specific expense and you can't do that. Now, you can change your budget and rearrange some things if you have to redo your budget but then you are starting over with a new date with how you are spending it from that date on. You don't get to go back and forth and willy-nilly loose, you know, move the money over here or move the expense over here. That is not an allowable procedure. You have to have consistent practices. You know where your money is going and you consistently identify it, and show that that is how the money was spent. JOHN HEVERON JR: And on the next slide, I like the first comment because it says does the grantee – do you have adequate staffing and systems and processes to provide reasonable assurance that ACL awards are utilized in line with the applicable acts, statutes and regulations, and award terms and conditions? That is why you need administrative cost. You know, we talked a while ago about a indirect cost rate. You need to have oversight and therefore, you need to have your support services, your administration. PAULA L McELWEE: And I was going to say, the board needs to understand it. That's the other part of it. The board has oversight and ultimately, so, that is part why we named the board and trying to get the board members to come to these sessions because the board needs to be aware and if your board is not aware, let us do a little training with your board directly about how your system works so that you can make sure that they are aware of what is going on. At the end of the day, they have the internal control responsibilities. They pass some of those onto all of you but the board is actually responsible. JOHN HEVERON JR: Yeah. And actually, that's the next point is that the board is supposed to approve those policies, in fact, until they are board approved, they're not really a policy of the organization. So, that is important. Duties should be segregated to ensure that key financial processes have adequate checks and balances. Your fiscal policies and procedures should be current. Paula, you commented about how frequently a policy should be reviewed and potentially updated. PAULA L McELWEE: Yeah. I would like them to be reviewed every year because enough things change and if you kind of assume that you remember, that doesn't mean that you are following your own policies and if you are reviewed, one of the things their reviewer will do is check your policies and hold you accountable to do what you said you were going to do. And so, if those are not current policies any longer, you need to update them. Hopefully, you will update them as things change but once a year you should stop and take a look and make sure they are current. JOHN HEVERON JR: So, the next point is do you have an internal review or evaluation process in compliance with your own policies and procedures? And then, do you have policies regarding budget modifications and are they being consistently applied? These items are all from an ACL Fiscal Review Checklist. So, if you are being reviewed, these are the points they are going to check. So, (Laughs) You want to be on top of this. You want all yeses in answering that. PAULA L McELWEE: And that is a fairly new checklist, if some of you haven't seen it before. It is something that ACL is just making available to us right now. Their new tools for doing reviews of centers and this is the physical piece. JOHN HEVERON JR: Yep. And on the next slide... So, specific controls over allowable costs and cost principles must include certain items and here are some examples. Review of contracts by somebody who is knowledgeable to identify the things we just talked about – allowable activities, the overall budget, whether certain activities potentially require any equipment. For example, they require preapproval. PAULA L McELWEE: typically, equipment, like we mentioned last week there is a form for that that takes place, if it's over $5000, you want to make sure that you put that in place and you also want to take a look at your other controls over cash management. For example, what is your process for drawing? No, a lot of you have a very systematic process. You collect your expenses and at the time of payroll you put those other expenses with payroll expenses and figure out how much money you are going to spend for those purposes and before you mail the checks, and before you - just before you mail the checks or draw the payroll, the funds that are federal portion related to that and then usually send some kind of a request for funding to your state if you have funds that come through the state as well. But you need a system for how you handle that and if there is a time gap, there shouldn't be. What the feds say immediately, right, you are drawing down that federal money and you are spending it immediately. And now, they've also said kind of on the side, "Well, 72 hours maybe would fit into that immediate timeframe," but you are expected not to draw in advance. You're not expected to draw down 1/12 every month and use it for your expenses. You're expected to draw down based on what you are actually charging to that grant, not all of your expenses, but the portion of the expenses allocated to that grant. JOHN HEVERON JR: And you go and document that and keep a file of that - what Paula said, if is three years a save as a timeframe? PAULA L McELWEE: Always three years. Always at least three years. JOHN HEVERON JR: Okay. On the next slide. So, it of performance controls. Again, all of this is more or less in your wheelhouse. PAULA L McELWEE: Okay. So, I can do that. So, you will review your contract on a regular basis to determine what did you say your day of deliverables were. You have more of that specificity with some of your grants than others. So, you may have some specific, for example, your fee for service programs that are very specific deliverables of what you can expand or can. With other grants, yet specific requirements on what you can draw down in advance, what you pay-as-you-go, whether or not you can carry money over and spend that amount how you payback if you overspend or spent on something you shouldn't have. I've got a couple of centers I am working with right now that are going to have to pay some of the money, they spent it inappropriately or the public health dollars. They spent it on something else and so, in those cases, they have to develop a plan for that. Look at your contracts because often your contracts tell you about that. They tell you, "Okay. If this, then you have to do that." So, not just the work you perform but also anything else that is a requirement around that grant. Somebody should always review those contracts. Every time they come in, because you don't know if even change a little bit. So, make sure you always read the contract. No, if you have a state association of centers and you have state funding coming in, often that state association or the centers altogether will actually do the review of the contracts because you've all got, hopefully, a similar contract (Laughs). So, hopefully, you may be help each other out in analyzing with the terms of the contract to Mina but I can't tell you how many times I've come across a situation where a center doesn't know what the contract says until they're asked to do something that surprises them. And then, they go back and look and, "Oh gee, I've been assigning this contract all along and I didn't realize I was supposed to do that." So, make sure you do that. Review your own plan and make sure your plan agrees with all the requirements in the contract. You have to have a three year plan. We haven't talked about that a lot here. We did a session on that a few weeks ago but you are required to have a three year program and fiscal plan. We usually think of the fiscal plan as a budget, right? That is a fiscal plan but it might have other information too. But it is a three year plan and I don't see a lot of you having three year plans, fiscal plans and your three year plan is supposed to be both fiscal and program. You ought to be thinking of terms of not just this year, but also where is this going in the future? I think next slide. JOHN HEVERON JR: So, the 2024 Compliance Supplement has guidance for internal controls and it states that internal control should be in compliance, either with the standards from CO CO, the Committee on Sponsoring Organizations – which is a leadership organizations, or their Green Book. The Green Book is internal controls and the federal government and I know you are not the federal government, but they specifically say that the recipients like our organizations should follow one or the other. And I will just mention also, the Green Book just recently got updated. It can be found at gao.gov/Green Book. It is not applicable yet. It will not be applicable until the fiscal year 2026. They didn't say but I'm assuming September 30 because that is the government's fiscal year. So, in any case, both of these sets of principles have five key areas and 17 principles. Some of the changes with the new Green Book are going to be examples of prevent and detection activities, prevention detection activities and a link to additional resources. So, even though it doesn't apply or it isn't required until fiscal 2026, it would be a bad idea to look at that now because it's really just additional strategies for controls. So, the next slide starts with the five key areas of internal control. The first being your Control Environment - your commitment to integrity and ethical values, your oversights, your commitment to competence. So, your training process says a lot about that. You're hiring in your training process tells about your Control Environment and your commitment to competence. The next principle is risk assessment – identifying and analyzing all sorts of risks. We talk about cyber but all sorts of risks that may impact your organization. Control activities are the policies and procedures that you identified to control or to limit and control those risks. And then, on the next slide, we have information and communication – your internal communications and training program and even your external communications about your policies, your procedures, and your values. And that might include your communications with your board when somebody is considering joining your board. You're going to share your values and that's an important thing to do right at the onset of a new board member. PAULA L McELWEE: I might mention John hear that a lot of times, you will turn to us and say, "Can you do board training for us?" And we can. That is what this is and is recorded and is found on a website and you can look at it later but that is not sufficient for what we are talking about here because what we are talking about here is training specific to your organization's internal controls. And I am giving you and John is giving you generalizations but you have to have specific policies in place. Who does what, when, how and it's got to be specific to your organization. That training also needs to be taking place. JOHN HEVERON JR: Yep. And then, monitoring activities, your ongoing assessment of whether controls are still appropriate for your programs. You know? You may have to establish some controls for specific programs if your program, if your funding sources change or the requirements of those funding sources change. Are those procedures still appropriate? And then, are they still being followed? Next slide. What do you think, Paula? PAULA L McELWEE: This one is my favorite one (Laughs). Well, this is my favorite one. When it comes to internal controls, you need to document what you are doing. If you don't documented, it didn't happen. So, when you are reviewed by someone, they're going to come in and they are going to say, "Show me how the board treasurer follows through on this specific responsibility that is in your policy." And if you can't show that it happened, then it didn't happen. (Laughs) So, if you didn't document it, you didn't do it. That is true for everything that you have to prove, right? If you have an auditor, an independent auditor and we hope that you do coming in and do a financial statement reviews every year at a minimum and many of you have a single audit because you spend more than $800,000 in federal money. When that person comes in or people come in, that agency comes in to review your center, they are looking for documentation. That's what they want to see. They want to see, not a copy of the credit card summary statement, that is meaningless. It tells you the name of something, it doesn't tell you what was purchase, where it was delivered, and the funding source at the individual item was charged to and why it, and you need to be able to show that on the original bill, not on a credit card summary. It's not enough information. It's not documentation of the actual purchase, and you need actual documentation of your policies and practices. So, if someone is doing, for example, a review of your financial statement or a review of your bank account, and making sure that it's reconciled, okay. Then, make a note on that bank account statement of who reconciled it and any discrepancies that were found. If you don't write it down, how do we know anybody bothers to reconcile it all. So, I could beat that horse a long time because when stuff goes wrong during a review, it is often because - not because you didn't do it sometimes, but because you didn't document it. JOHN HEVERON JR: Just a couple other things to tack onto that. An example of monitoring your training, if you have a staff training in cybersecurity or internal controls, you're going to document that but if you just make that a part of staff meeting. Let's say you just do a little piece as part of a staff meeting, document that as well. It doesn't have to be big. It's actually very valuable to do these continuous reminders of the very basic things because the very basic things as we will talk about later, are how cyber attacks occur. PAULA L McELWEE: Yeah. So, put it on the agenda, file that agenda in a folder that this could be an electronic folder, does have to be paper. File the folder and agenda for staff meetings and they will file for things that you are doing for ongoing training for your staff. JOHN HEVERON JR: You know, as an internal auditor, or as a external auditor, should say, we have requirements while they are doing a compliance or single audit – to look at your complaint and look at your controls over compliance and we report on both of those. If we find no instances of noncompliance, but we don't see documentation that you have controls over compliance, that is a reportable finding. So, that is how important this is to document your procedures here. PAULA L McELWEE: Next slide. JOHN HEVERON JR: I wrote above this the first point, "Just say yes." If your auditor asks you if you're doing monitoring activity, just say yes because you are doing certain monitoring activities. You are doing budget development. You are comparing budgeted results to actual, you are doing an insurance assessment, a risk assessment possibly with your agent. You are reviewing your receivables and payables. You are probably monitoring your liquidity and discussing cash controls. Now, that is not everything, there's a lot more things and in fact, we've got sort of a short list and a little bit but don't ever think you are not doing monitoring. You may not be monitoring certain areas, so we will talk about how to enhance it but you are monitoring. PAULA L McELWEE: Yes, just say yes isn't great, John because every time that you are looking at something and every time the board is looking at a financial statement, reviewing this, you have a monitoring role in that. So, absolutely. You may not have a perfect but you're always doing something. JOHN HEVERON JR: The last point here is you can monitor different activities on a rotating basis, possibly every third year and on the next slide, we've got a list of some possible procedures. And I will just say, if you are a really large organization, and you have the budget for it, you may have an internal audit function. You may have a dedicated internal audit person who is really independent from your finance department and is providing this kind of oversight. But most of you don't have that luxury, by far, most of you don't have that luxury but it can be some staff time allocated to this process and it might possibly be some members of your finance committee that will do these things. But just some sample monitoring procedures, they could look at the hiring process, look at the completeness of your personnel files, look at the payroll oversight, the independence of, you know, recording the hours, calling them in and independently looking at the payroll Journal once payroll is prepared. Review them for accuracy and integrity, viewing that our bank accounts are reconciled in a timely way. Review your purchasing process, we talked about procurement last week. Assessment, physical security of confidential information, review charge card documentation, this is for everybody all the way up. PAULA L MCELWEE: Absolutely, in fact, you want to make sure, was of you were executive directors and I see a lot of names I recognize as executive directors, you want to make sure you have a process or somebody else reviewed your credit card bills. It is not OK for you to be approving them and passing on and saying, "Just pay them," I once took on an organization and one of the first things I ran into was credit card bills from the prior person and there were no receipts with any of them. This was before it was easy to get those receipts from the credit card company, which you can do much more easily than you could then, but I could not get them and he had been improving those things himself, do you see the problem? We don't know that those expenses were all related to that company's activities at all, we know nothing about what he was spending that money on. Why he had a membership of the downtown club, I don't know. It was charged to that credit card, used for appropriate activities related to that credit card? I don't know but I don't think so. If I don't have somebody else looking at my work, they have the right to question me. Let's make sure that we offered that. Glad to have you do it. The other thing that we sometimes see related to our internal monitoring activity is job switching. If you have somebody that runs payroll and somebody else who runs Accounts Payable, for example, maybe for two reasons, they could switch, one month or year. One reason is that it's good for somebody else to know the job. In case you have to be gone, somebody knows how how do that job. JOHN HEVERON JR: One other possible procedure, staff training is efficient, you can look at the process for training but then follow up with staff if they think it's what they need to do their jobs and if they really understand their responsibility. Again, you can probably add to this list but you're not going to do all of this every year, you're going to do this on a rotating basis. PAULA L MCELWEE: Just like you do your risk assessment, you don't need to meet with your carrier every year to assess what insurance you need but on a periodic basis, that conversation ought to happen. Same with all these other pieces, just make sure that on a periodic basis, everything is like that. Now capture that in your policy. Your policy should say Rick -- risk assessment, here's how we do it. It should say physical security of confidential information and here's how we review it and here's what we do. Make sure that the policies lead to the monitoring, lead to the activity that results in the practice. JOHN HEVERON JR: I just want to mention that if you have a remote or partially remote staff, that may change some of these or reuse some of these monitoring. Paula, do you know what extent that occurs? PAULA L MCELWEE: One of the things that happened, and I don't know if anybody would want to drop in the chat or let us know that way, but one of the things that happen post-COVID is that we realize we didn't need people to be in the office. Almost all centers have remote activity. Some did bring everybody back in, but often, they give people three days in the office and one day working remotely from home or other kinds of things. Because there is remote work, you do have different expectations about things. You still have to secure, we will talk about cybersecurity specifically, that becomes probably one of the biggest risks. If you're doing everything from your phone, and your home Wi-Fi as opposed to from the office, and you have a different set of security that you've been monitoring that you need to have in place. JOHN HEVERON JR: Next slide. You are all responsible for security, security over individually identifiable information, data that identifies the person that the data is about. PAULA L MCELWEE: We don't do HIPAA very much, we may have other grants with other organizations, but your part C and part D grants are not considered healthcare, so you are not expected to follow those HIPAA regulations. Sometimes, you will run into a grant where you are, so be aware of that and the requirements of that contract as you do some of these other activities, because it's important for you to know that.\ Also, identifiable data includes personnel. It's your staff, you have identifiable data about them and then at your consumers, you have identifiable data about them that may not be health-related but you still know where they live, you know their phone number, you have other information about contacting them or being able to contact them. You want to be sure that that data is still safe. You want to treated as confidential, you don't publish a list of the people that you serve or anything like that. JOHN HEVERON JR: You need to take actions to limit the cybersecurity risks, and to protect the confidentiality of this information. The next slide, PAULA L MCELWEE: That's both paper files and electronic files. Many of you still keep a paper file for personnel because there are some things that are done in paper. A lot of you have gotten away from that with consumers and most of your consumer records are electronic records and if you don't know this, I will say it so that you're aware, you can keep everything electronically, so even sign documents, electronic signatures are allowed. Scanned documents are allowed. You may keep an entire file electronically. I think many of you are doing that with consumer files, maybe not with personnel files,, I don't work with personnel systems much anymore so I don't know. If you're using a payroll program, they often have the ability to do the same thing, keep analog Tronic -- and electronic personnel record. Whether it's electronic or paper, you need to know a couple of things. You need to know that it secure in case of a disaster, so you need to have a backup plan, records In a cloud, think about if you're building got blown away by a tornado tomorrow or hurricane, I'm sorry, I see the comment down there. If you find yourself in a situation where your computer is lost, your server is lost, your paper, is the information secure somewhere and how are you doing that? JOHN HEVERON JR: You need to limit access to your systems, possibly using intrusion detection systems, and a disaster recovery plan can really halt increased security because a disaster recovery plan really walks you through the process of how you would recover it makes you think about securing your data. If you have cyber insurance, your insurance company is very likely to be willing to provide you with policies, with recommendations for security, that's something you should really have these days and it's a free resource for you if you do. Consider that and we will go on to the next slide. Businesses and nonprofits get hacked every day. I listed one example because it may seem crazy but the federal group that monitors the presidential motorcade Scott hacked by a couple in Eastern Europe, when I tell you that everybody is subject to risk here. The most recent Association of Certified Fraud Examiners report to the nation, this is an association and the issue this report every year and they do it based on assessing frauds and they break it down by industry, type of fraud, profiles of people, and we got a link to it here. It really is very useful to know where these problems occur. It also tells us some very specific facts based on these cases that, for example, training your staff in cybersecurity awareness reduces the duration of crimes, the amount of crimes, and cutting in half, I'm sorry, go ahead. PAULA L MCELWEE: I'm sorry, I didn't interrupt. Sometimes, the cyber attack happens to your staff email. -- Through your staff email. Somebody gets an email to ask for certain information and expects it to be clicked on, they are in trouble that something, it appears to be legitimate. Teach staff to look at those email addresses that are sending that email before they answer, never click on anything from someone unknown, even if they think they might know them, do a double check. If it's asking you something that doesn't make sense, do a double check. A lot of times, that's how they get into your system is through your staff email. JOHN HEVERON JR: On the next slide, this isn't a very difficult question, what do cyber criminals want? They want money. They would like to steal it from your accounts, and they would like to freeze your access to your computers and get ransom from you before they may or may not give you the code to unlock it or gain access to your systems. They want credit card numbers and Social Security numbers that they can sell for money, so it's all about money and they want to do this very badly and they are willing to and do spend their days trying to trick you and steal from you. This is the career of many people. They are very well-paid, I was in a training about these processes and they really make good money. I could get a (indiscernible) rate. At any rate, we are going to talk about some procedures that if you follow, you should be able to reduce the cyber attacks by 90% and what Paul adjust said is big here. Not clicking on links, because they can't break into your account but you can open the door for them and you just have to open it a little bit. Onto the next light here. For bank accounts, you can reduce the possibility of these with secure checks, there are kinds of checks that are imprinted and create a greater degree of security from being altered. If you haven't heard about it, positive pay and reverse positive pay are very good tools. Positive pay, the bank will send you a list of checks that are going to clear in the very near future, and you need to approve them and they won't get cleared until you do so. Reverse positive pay, the bank will send you the same list but if you are silent, then they assume you agree with those checks and they will clear the checks. A little bit of a different iteration of the same thing. Using a secure font, inserting asterisks, preventing adding another name, that's more about adding manual checks because virtually all of your checks are probably written by computer and that happens automatically. PAULA L MCELWEE: Good to know. We are writing fewer and fewer checks, so continually keeping up-to-date on options for keeping payments secure is important because technology is changing minute by minute. The new options for looking at this, we don't write very many checks anymore. A lot of it is automatic deposit or handled in other ways, so keep an eye on all the transactions and know what's happening in your account. Check often enough to make sure it makes sense. Don't just let it operate without your observation. JOHN HEVERON JR: On the next slide, I'm going to say if the bank calls you and asks for your account number, don't give it to them. If you call the bank and they ask for your account number, give it to them. Don't trust that it is your bank, whether it comes to you by email or a phone call, don't trust that your bank unless you initiate the call and you know you're calling the bank. Look for that HT -- HTTP, data security protocol that should be on all banking websites, and probably any other site that require security. Next slide. So your servers and workspace should only use systems that are currently supported by operating systems. Windows 10 support and this October, that's right around the corner. There's probably a lot of you out there that are operating on Windows 10, so you will need to upgrade to Windows 11. PAULA L MCELWEE: That includes my husband just down the hall here (Laughs) JOHN HEVERON JR: I'm just in the middle of an upgrade here, so I'm not very far ahead of him. Operating system patches should be installed properly, they are like a total system upgrade but if cyber criminals or the software manufacturer discover a problem, potential exposure in the software, they will issue a patch and they will have to get it installed quickly because the bad guys found out about these very quickly. You will get a notification about it but that doesn't mean that you're doing something about it. PAULA L MCELWEE: That's part of the full-time job those cyber criminals are doing, they are always looking for those holes and they drill in and the software people are always trying to keep up with them, and if you don't keep up on your end, they will find you. JOHN HEVERON JR: Absolutely. PAULA L MCELWEE: And with backups, make sure you are storing them not on-site. Remember that disaster scenario, you have to be able to access that backup to be able to restore things and make sure you are doing them frequent enough that you haven't lost something big. JOHN HEVERON JR: On the next slide, we really already talked about this, but just to reiterate, IT, training, and IT security training should be provided at various times throughout the year, includes social engineering, I think everybody knows what that means but that's when people try to control what you do, try to get you to click on a link, by pretending to be someone other than who they are, either a person or a bank or something. PAULA L MCELWEE: Probably an attachment that equally problematic, it can go either way, but you just don't want to do that, with somebody you don't know. Don't. If it's somebody you think it doesn't make sense, pick up the phone and call them and say, "Did you send this to me?" I have people do that, I send attachments to friends sometimes my friends ask if it's really me. That's fine, I do not mind (Laughs) JOHN HEVERON JR: Absolutely. A workstation should be set for automatic log off, I hope everybody has that after two minutes of inactivity or something of that nature that the computer will automatically lock and it's your password again. On the next slide, having backups is a great idea, make sure they work, restore some data from your backups, just make sure you will be able to do a big restoration if you ever need to. You should have search protectors on your computers, if there's a power surge, this will limit the damage from Matt, but if you've got a battery backup and the power goes out, this will keep it running for a while. You need somebody who knows what they're doing, because these things need to be configured properly so that they can shut the computer down normally, not just extend the power. Looks like pulling the plug an hour later when the power originally went out, that's not good enough. These things will shut your computer down properly if they are configured properly. PAULA L MCELWEE: It's usually worthwhile if you have the time and the funding to do it, to have a cybersecurity organization that helps you do some of this set up. I found it very valuable to contract with somebody and I worked with sharp people who knew a lot about computers but that doesn't mean they understand your own server situation and the details about this kind of thing that John is talking about, you can't just plug-and-play this battery backup. It has to be set up to fit. Sometimes, you will want to contract with somebody who does this, and it may not be long-term but they can help you get set up. If you don't have this in place, I really recommend that. JOHN HEVERON JR: Access to program should be limited to those who need it. It shouldn't be removed for anybody who leaves or is terminated. On the next slide, hard drives should be defragmented periodically. I don't really know exactly what that is but I know it's important. I know drives get temporary files on them... PAULA L MCELWEE: They are so big these days that on a personal computer basis, we typically don't run into these. If you have a server or working from a corporate computer, you are more likely to press on the top limit of what you can keep in your hard drive. A lot of times, as you delete files, they are not really deleted but they are sitting out in the spare space on your hard drive unless you defrag. That's an important thing. Also, you want to make sure you know your licenses are and what your warranty information is and what software version you have and whether you update something, are you updating it for everyone so that everybody is using the same version of whatever software you're utilizing. I think you will find this to be really helpful processes for keeping track, but think about that outside organization to help you monitor all that because sometimes, they know exactly what to look for and they can do that. JOHN HEVERON JR: I will add to that, keeping track of your licenses and your software applications, that can be helpful if you're switching computers, but if you have a disaster and you don't have that information, that becomes critical, so it's really important to maintain that for a big event. If you have a disaster recovery policy, that should be high on the list, tracking all of that. Next slide. Paula, we've said it a few times. PAULA L MCELWEE: I think we have, that's an important thing for you to look at. I love tips of the day at the bottom there, you can get a copy of this where the links are clickable. It will be in an email that you get at the end of this presentation. Take the time to go in here and look at these, there are some nice tips, there's a short tip of the day because what you want is constant awareness. People can just forget, they aren't paying attention, if you don't have set up the automatic we shut down your computer when you walk away from your desk, for example, is more likely that someone can try to get in either physically or remotely, so just as little reminders and play one of them at the beginning of your staff meeting every time. A little reminder now and then of what to do, because the threats, I think probably a lot of you know what the threats are, you just think, "Not me." It just takes a moment of action, a minute of not thinking, "Why would I be hearing from my cousin Tammy?" Click, and it wasn't my cousin Tammy. Just constant awareness becomes a really key part of the protection of your systems. JOHN HEVERON JR: The next slide, we have a link to the National Institute of Standards, again, if you are developing policy, this would be great because as you can see, it's very well organized. It covers the different facets of security, which means identifying the people and devices and programs that they use, the tech activities that help you learn about cyber attacks, and protecting the next page, sorry, responding is conducting analysis. If there is an incident, why did it happen? How did it happen? Not for blame but for strategy, to eliminate future events. You never want to discourage people to step up. It's terrible if you have an incident but you never want to discourage people from saying, "I'm not sure if what I clicked on today could have been a problem." PAULA L MCELWEE: Yeah, it can happen just like that and then they think, "What do I do?" Tell us right now what you did so we can take care of that situation. JOHN HEVERON JR: I'm zipping right along on the next slide here, too. PAULA L MCELWEE: Yeah, we need to get through, I'm sorry we went off to one side. Remember integrity, availability, confidentiality as we talked about is protecting things, integrity means maintaining your systems so continually making sure that your data is accurate and backed up and you can access it. Availability make sure that you have time and interaction with the services you need. JOHN HEVERON JR: Next slide, sorry, I think we already covered that slide. We can go one more. A couple of the specific things, your wireless access, you don't want guests who come into your office to have the same wireless access that your staff would have. You have a separate guest access, remind employees to never click on the OK button in pop-ups. These could download malware. Control W will shut it down. This is something I learned about fairly recently, but some computers automatically start running, executing a program if you plug in a flash drive. You can disable that and you should disable that. You don't want things to start running. PAULA L MCELWEE: I've heard that there flash drive just laying around out there, people leave them out intentionally. You see that free flash drive on the park bench and you pick it up and put it in your pocket and take it home and see what's on it, you have just activated something bad. JOHN HEVERON JR: One more slide here. We have actually covered the first couple of points here, but the third one is that when you dispose of computers or copiers or other assets containing confidential information, they should be destroyed but there are companies that do this, I don't know if it's around everywhere, but they will pay to have these things destroyed and we can get into this kind of destruction here. You should do that. I said copiers, you may not think about that but when you make a copy of something, there's a hard drive and those will often store information that could be copies of a paycheck or donor information or anything else. Make sure you are getting rid of all of those hard drives. PAULA L MCELWEE: You don't realize how much information is out there that is stored automatically, you're not doing anything to make it happen but it's stored, whether you wanted to be or not. [END] [AUDIENCE QUESTIONS - NOT RECORDED]