Many churches have annual audits performed by CPA firms, often to satisfy the terms of building loans or to help demonstrate integrity in their finances to a watching world. Both are good reasons. And these days, auditors are also paying attention to potential IT issues. This is part of their due diligence to see if things are being done correctly. However, many of those auditors do not have professional IT training or experience, but simply work through a series of scripted questions and record the responses.
Even so, through this process, CPAs have heightened everyone's sense of appropriate IT security. Some things they brought attention to are very good, such as locked server rooms. However, on password strategies, they may have hurt us by recommending we change passwords every 90 days. The practice of changing passwords so often in churches actually lowers security! When employees or volunteers change passwords, they're often written on Post-It® notes or taped on monitors and displays.