Section 1: Access Controls & User Permissions
Set up quarterly. Takes about 15 minutes. You may need to talk briefly with the person who manages your payroll platform.
- Confirm only authorized staff have access to your payroll system. Pull the user list from your payroll platform and read every name. If you don’t recognize someone, or if a volunteer or former staff member is still listed, that’s the first thing to fix. Formally review this list at least quarterly.
- Verify multi-factor authentication (MFA) is on for every user. Verizon’s 2026 Data Breach Investigations Report found that 62% of breaches involve a human element, and stolen credentials are the #1 way attackers get in. MFA blocks the vast majority of credential attacks, with no exceptions for the senior pastor or the treasurer.
- Revoke access for anyone who has left since your last pay run. Including departing staff, interns, contract bookkeepers, and summer volunteers. If their access wasn’t deactivated within 24 hours of their last day, do it now. Lingering accounts are one of the most common breach paths.
- Confirm no one is sharing a login. “We just use the finance@ login” is one of the highest-risk patterns we see in churches. Every person who touches payroll needs their own credentials to maintain an audit trail.
- Check that approval rights and data-entry rights are split. The person who enters a new employee or changes a direct deposit should not be the same person who approves the payroll run. This is called “segregation of duties.”
