CISF Core Controls Catalog

Financial responsibilities are divided among multiple individuals to prevent unauthorized transactions or fraud.

1. Map the money flow (collection → counting → recording → depositing → reconciling) in a simple diagram.
2. Assign different people to each step (e.g., counters, bookkeeper, treasurer) and document this in a short policy.
3. Require at least two unrelated people to be present whenever cash is handled or counted.
4. Review the duties map annually and when staffing changes occur.

• Spreadsheet (e.g., Excel, Google Sheets) to list each step in the money flow and who performs it.
• Diagram or presentation tool (e.g., Visio, PowerPoint, Google Slides) to draw a simple flowchart of the end-to-end process.
• Shared, access-controlled Finance library (e.g., SharePoint, a Google Shared Drive) to store the diagram and policy.

• Restrict edit access to the Finance library to finance staff and designated leaders; others may have read-only access if appropriate.
• Require MFA for anyone with permission to approve or initiate financial transactions or modify the duties map.
• Use version history so any changes to the flow or assignments can be reviewed and, if necessary, rolled back.

The organization requires multi-party approval for expenditures, disbursements, and financial commitments above a designated threshold.

1. Set a dollar threshold (e.g., $1,000 or $2,500) above which two signatures or approvals are required.
2. Configure bank accounts or online bill-pay systems to enforce dual approval for larger transactions.
3. Include documentation (invoice, contract) with each approval and retain it in a centralized digital folder.
4. Report any exceptions to the board and document why they occurred.

The ministry provides regular financial summaries to leadership and appropriate congregational representatives.

1. Each quarter, prepare a one-page summary showing income, expenses, cash reserves, and debt.
2. Share the summary with the board and then either post it on the member portal or distribute at members’ meetings.
3. Provide a simple “how to read this page” key so non-experts can understand it.

The church conducts routine internal audits and reconciliations of expenses, revenue, and bank records.

1. Quarterly, appoint two non-staff members to compare bank statements, accounting software, and giving records for consistency.
2. Use a simple checklist to verify random samples of transactions and deposits.
3. Document findings in a short memo to the board, including any corrections made.
4. Rotate internal reviewers every 1–2 years to avoid over-familiarity.

An independent third party performs an annual audit or review of church finances.

1. Engage a CPA firm or independent accountant to perform at least a review (if not a full audit) once per year.
2. Ask them to provide a written letter noting strengths, weaknesses, and specific recommendations.
3. Require the board to discuss the findings in a dedicated agenda item and assign owners and due dates for each recommendation.
4. Communicate key themes (not sensitive details) to the congregation at the next members’ meeting.

The ministry maintains an up-to-date record of physical equipment, purchased assets, loaned devices, and high-value resources.

1. Create a basic spreadsheet listing each significant asset: description, serial number, location, assigned steward, purchase date, and approximate value.
2. Tag physical items with labels or asset tags that correspond to the inventory list.
3. Review and update the inventory at least annually or whenever major purchases or disposals occur.
4. Use the inventory for insurance reviews and budget planning.

The church documents and implements donor privacy restrictions and prohibits coercive or manipulative fundraising practices.

1. Write a short donor privacy statement explaining who can see giving records (e.g., limited finance staff and treasurer).
2. Forbid fundraising tactics that shame or pressure people, such as public leaderboards of givers or public recognition tied to dollar amounts.
3. Train pastors and staff not to link pastoral care or access to leadership with the size of someone's giving.
4. Make the donor privacy statement available on giving envelopes and the church website.

The ministry categorizes all data by sensitivity (public, internal, confidential, pastoral) and applies appropriate handling requirements.

1. Create a one-page classification table that defines categories (public, internal, confidential, pastoral) with concrete examples for each.
2. For each category, specify where it may be stored (e.g., pastoral data only in encrypted systems with limited access) and how it may be shared.
3. Label key folders or systems with their data category and train staff on what that means in practice.
4. Review the classification annually to capture new tools (e.g., a new app or service).

• Spreadsheet (e.g., Excel, Google Sheets) to maintain a data classification register listing systems, data types, owners, and classifications.
• Word processor or docs tool to create a one-page classification policy summary for staff.
• Cloud storage with access control (e.g., SharePoint, Google Drive) to store the register and policy in a centralized “Data Governance” area.

• Restrict edit access to the classification register to a small group (e.g., tech lead, administrator, safeguarding representative).
• Require MFA for accounts with access to modify classification or highly sensitive categories (e.g., pastoral/confidential data).
• Ensure the classification register is backed up and under version control so you can track changes over time.

Users receive only the access necessary for their roles, with regular review and removal of unused accounts.

1. Define role-based groups in each major system (e.g., “Finance,” “Pastors,” “Volunteers”) instead of granting permissions one person at a time.
2. Run a quarterly access review: export a list of users, verify who still needs access, and remove accounts for former staff or volunteers.
3. Immediately disable accounts when staff depart, using a termination checklist that includes all relevant systems.

Critical systems and administrative accounts require multi-factor authentication.

1. Turn on MFA for church email, cloud storage, church management software, and any financial or giving platforms.
2. Provide step-by-step instructions or short videos showing staff how to enroll their devices in MFA.
3. Require MFA for all admin-level accounts and prohibit sharing of administrator logins.

The church defines secure channels for pastoral counseling, internal communication, and sensitive conversations.

1. Publish a short list of “approved channels” for sensitive topics (e.g., church email, specific messaging platforms, never social media DMs).
2. Require staff and volunteers to keep pastoral and counseling messages on church-controlled accounts where logs can be retained.
3. Train leaders not to discuss confidential matters over unencrypted or personal channels unless the risk is clearly low and documented.

The ministry enforces device controls, including password protection, encryption, updates, antivirus, and remote-wipe capability.

1. Require a PIN or password on all laptops, tablets, and phones that access church systems, with automatic screen lock after a short timeout.
2. Enable full-disk encryption on laptops and use built-in tools (e.g., “Find My” or equivalent) for remote lock and wipe.
3. Standardize on a particular antivirus/endpoint security product and ensure it is installed and updated on all managed devices.
4. Maintain a list of approved and registered devices tied to user accounts.

Third-party vendors are vetted for data protection standards before adoption.

1. Create a short vendor checklist: encryption, MFA support, data ownership terms, incident response commitments, and data deletion process.
2. Before adopting any new app or platform, require completion of the checklist and attach it to the contract or approval email.
3. Review major vendors at least every 2–3 years to ensure their security posture remains acceptable.

The organization logs system access, administrative activity, and changes to sensitive data.

1. Enable audit logging in key systems (email, file storage, church management, giving platform).
2. Designate a security champion to review summarized logs monthly and investigate unusual events (e.g., logins from unexpected countries or large data exports).
3. Store logs for at least 6–12 months by default, and longer for incidents related to safeguarding or misconduct as defined in TD-10 and AR-2.
4. Use systems where deletion of logs requires at least two authorized people and is itself logged.

The ministry maintains encrypted backups of critical data with documented restoration procedures.

1. Identify mission-critical systems (church management, financial records, key documents) and confirm they are backed up at least daily.
2. Ensure backups are encrypted and stored in a separate location or service from the primary system.
3. Twice per year, perform a test restore of a random file or folder and document the result and time required.
4. Write a one-page “How to restore from backup” guide accessible to at least two people.

The church uses security tools or processes to detect unauthorized access or data exposure.

1. Turn on built-in security alerts for unusual login activity or large data downloads in cloud tools.
2. Educate staff on how to report suspicious emails or login prompts (e.g., a special “security@church.org” address).
3. Maintain a simple incident log capturing date, what was noticed, how it was handled, and lessons learned.

The church implements a schedule for secure deletion of old or unnecessary data.

1. Set clear retention periods for each category (e.g., routine emails 2 years, financials 7 years, counseling notes 7–10 years, depending on local law and counsel).
2. For incidents related to abuse or serious misconduct, place a “legal hold” on related records and logs so they are preserved for long periods (e.g., 25 years or as advised by counsel and survivor advocates).
3. Schedule periodic “data clean-up” days where old records are reviewed and securely deleted or shredded according to the schedule.
4. Use secure deletion tools or shredding services for both digital and paper records containing sensitive information.

The organization publishes key safety, communication, and safeguarding policies on its website.

1. Create a “Safety & Integrity” page with links to PDFs or web pages containing your core policies (abuse prevention, financial integrity, reporting pathways).
2. Summarize each policy in 2–3 bullet points written in plain language for non-experts.
3. Review the page at least annually to ensure links and policies are current and clearly visible from the main navigation.

The ministry maintains a documented plan for communicating during crises, data breaches, or misconduct revelations.

1. Identify scenarios (abuse allegation, financial fraud, building emergency, data breach) and outline communication steps for each.
2. Create draft templates for emails, website statements, and social media posts that can be quickly customized.
3. Define who approves statements (e.g., board chair plus senior pastor) and how quickly communication must go out.
4. Set explicit time targets for serious cases (e.g., initial internal communication plan drafted within 72 hours; public statement within a defined window once key facts and legal obligations are clear). Document any missed timelines and treat them as process failures to be reviewed.
5. Rehearse the plan at least once every two years in a table-top exercise with key leaders.

Public statements prioritize accuracy, compassion, and transparency, avoiding minimization or legalistic framing.

1. Develop a checklist for public statements that includes: acknowledge harm, avoid blaming language, avoid overly vague language, and avoid centering only the institution’s reputation.
2. Whenever a statement affects a survivor, seek input (where appropriate and safe) from trauma-informed advisors before publication.
3. Commit in policy not to call allegations “gossip” or “misunderstandings” in official communication when they are under serious review.

The church defines proper use of email, messaging apps, announcements, and mass communication tools.

1. Write a one-page guide explaining which channels are used for which types of communication (e.g., all-church email for major updates, Slack/Teams for staff, etc.).
2. Prohibit sharing confidential pastoral details in large group threads or on channels without access controls.
3. Establish a process for reviewing mass emails before they go out to avoid misstatements or insensitive language.

The organization maintains social media guidelines for clergy, staff, and volunteers to prevent misuse or harm.

1. Draft a short policy that addresses direct messaging with minors, posting photos, political engagement, and public conflict.
2. Require staff to use separate personal and official accounts when speaking on behalf of the church.
3. Specify that pastoral or confidential matters are not to be handled through public threads or comments.
4. Review high-visibility posts by at least two staff members before publication on official channels.

The church provides a yearly summary of integrity measures, audit results, and improvements made.

1. At the end of each year, compile key indicators: audits completed, trainings delivered, incidents reported, and corrective actions taken.
2. Present these in a 1–2 page report, with clear headings and minimal jargon.
3. Share the report with members through email, a printed handout, or the website, and allow time for questions at a members’ meeting.

All staff and volunteers complete trauma-informed, survivor-centered abuse prevention training.

1. Choose a vetted abuse-prevention curriculum (online or in person) recognized by credible safeguarding organizations.
2. Require completion for all staff and any volunteer working with minors or vulnerable adults, prior to serving.
3. Track training completion dates and renewal cycles in a central spreadsheet or database.
4. Refresh training at least every 2–3 years, and when laws or best practices change.

The ministry maintains state-compliant procedures for reporting abuse and ensures all staff understand their legal obligations.

1. Consult local laws or legal counsel to identify mandatory reporter requirements in your jurisdiction.
2. Create a one-page flowchart for “If you suspect abuse” that includes hotline numbers, law enforcement contacts, and internal notification steps.
3. Review the flowchart in every child safety training and post it in staff-only areas.
4. Teach explicitly that reporting to the church does not substitute for reporting to authorities when required, and that internal confidentiality or legal advice does not override civil law.
5. Require any advice that reporting is “not necessary” to be documented in writing, automatically reviewed by the Integrity & Safety Team, and, when feasible, confirmed by a second independent legal or safeguarding opinion. When in doubt, default to reporting.

• Word processor or layout tool to write and format the mandatory reporting procedure and one-page flowchart.
• Diagram or presentation tool (e.g., PowerPoint, Google Slides, Visio) to create a clear, printable decision tree for “If you suspect abuse.”
• Intranet or document portal (e.g., SharePoint page, private section of the church website) to make the procedure easily findable for staff and volunteers.

• Store detailed procedures and any legal advice regarding reporting in a restricted Safeguarding or Legal library with limited access.
• Require MFA for all staff with responsibilities to act on reports (e.g., pastors, safeguarding team, key administrators).
• Ensure that any notes or emails related to specific reports are stored in the secure incident or safeguarding repository, not in personal email folders or local devices.

A trained, designated team (internal or external) handles allegations of abuse, misconduct, or pastoral harm — including sexual abuse, physical abuse, spiritual abuse, harassment, bullying, and patterns of coercive control.

1. Identify 3–5 individuals (including at least one woman and one non-staff member) to serve as a response team.
2. Provide them with basic trauma-informed training focused on listening, support, and appropriate referrals.
3. Give this team direct access to independent experts (counselors, attorneys, external investigators) to consult when needed.
4. Publish a simple, safe way for people to contact the team (e.g., dedicated email address and phone line).

Anyone who reports misconduct is protected from retaliation, punishment, or social shaming.

1. Explicitly state in policy that retaliation against reporters or witnesses is itself a serious offense.
2. Provide at least one anonymous reporting channel for concerns about retaliation.
3. Coach leadership not to remove people from membership, service, or community as a result of making good-faith reports.
4. Investigate reports of retaliation quickly and transparently, with documented outcomes.

Two-person rules, controlled spaces, secure sign-in systems, and volunteer background checks.

1. Require at least two unrelated adults to be present in any classroom or youth activity where minors are present.
2. Use a check-in/check-out system that matches children to specific guardians, with ID checks for visitors.
3. Forbid closed-door one-on-one meetings between adults and minors unless visible through windows or glass panels.
4. Require background checks for all volunteers and staff working with minors and refuse service until checks are complete.
5. Include supervision ratios and peer-on-peer risks explicitly: separate sleeping arrangements by age on trips and strict anti-hazing and bullying rules with clear consequences.

Boundaries for confidentiality, documentation standards, crisis escalation pathways, and prohibitions on private, unmonitored counseling channels.

1. Define where and how pastoral counseling occurs (e.g., offices with windows or open doors, not private homes without accountability).
2. Define spiritual abuse in policy (e.g., using spiritual authority to manipulate, silence, or coerce) and train counselors and elders to recognize and avoid it.
3. Provide guidance on concise, factual note-taking that avoids unnecessary detail but records risks and referrals.
4. Establish clear criteria for when issues must be escalated to authorities or mental health professionals.
5. Prohibit using secret online accounts or disappearing-message apps for pastoral counseling.

Access controls, key management, safety monitoring, and emergency preparedness.

1. Keep a list of who has keys or electronic access badges and reclaim them promptly when roles change.
2. Lock exterior doors during services except for monitored entry points.
3. Clearly post evacuation routes and conduct occasional drills for staff and volunteers.
4. Review building security annually with local law enforcement or safety professionals if possible.

Policies strictly prohibit one-on-one private communication between adults and minors, ensuring a “Digital Chaperone” is always present, while preserving the sanctity of physical religious rites.

1. The “Digital Chaperone” Rule: Adults (staff or volunteers) must never communicate 1-on-1 with a minor via text, direct message, or social media. All digital communication must copy a third party: either the parent/guardian or a second unrelated adult leader. Group chats for youth ministry must include at least two screened adult leaders and, where feasible, parents or guardians.
2. Gaming & Virtual Spaces: Classify gaming lobbies and online platforms (e.g., Roblox, Fortnite, Discord voice channels, gaming party chat) as “closed rooms.” An adult leader must not be in a voice chat, private lobby, or invite-only server alone with a minor. If online gaming is used in ministry contexts, require multi-adult presence and clear written guidelines for what is and is not appropriate.
3. Sacramental Exception (Confession): Formal religious rites requiring confidentiality (e.g., the Rite of Reconciliation/Confession) are the only exception to the “two-adult” rule, and only under strict constraints:
   • They occur only in physical spaces designed for visibility and safety (e.g., a confessional booth with a screen, or an office with a glass window or open door in a public area).
   • They are never conducted online, via video call, text, or any digital platform. There is no such thing as a “Digital Confessional.”
4. Transparency for Parents: Communicate clearly in policy and in parent meetings that parents/guardians have the right to view all communications between their child and church leadership at any time. Where platforms allow, configure settings so that parents are included on message threads or can access chat histories on request.

The church provides independent, survivor-directed care and support that is not contingent on silence or institutional protection.

1. Within 7 days of a report, offer to fund a defined number of counseling sessions (e.g., 6–12) with a counselor chosen by the survivor, not by the church.
2. Provide written information on independent survivor advocacy organizations and legal resources.
3. State in policy that non-disclosure agreements or confidentiality clauses are never required as a condition of care; if a survivor requests privacy, ensure they have independent legal advice.
4. Clarify that pastoral care is optional and must never be used to pressure or manage the survivor’s narrative.

Adults never transport a minor alone for church-related activities; rides follow a “Rule of Three” or pre-approved caravan protocol.

1. Adopt a written rule that no adult leader or volunteer may transport a minor alone in a vehicle for any church-sponsored activity, including “just a quick ride home.”
2. Require either a third person in the vehicle (another unrelated adult or another youth) or a multi-car caravan where at least two adults are present across vehicles and routes are known.
3. Ensure all drivers in youth or children’s ministry are vetted (background check, license and insurance verification) and documented in a driver list maintained by the church.
4. Communicate the transportation policy to parents and youth annually and include it in trip permission forms and event sign-ups.

Staff and volunteers receive training tailored to their duties (e.g., finance, children’s ministry, pastoral care).

1. Identify key roles (children’s worker, treasurer, small group leader, etc.) and list the competencies required for each.
2. Build simple training paths (e.g., a checklist of videos, readings, and in-person sessions) for each role.
3. Require completion of the relevant path before someone begins serving and keep a record of completed training.
4. Update paths at least every two years to reflect new lessons learned and best practices.

The church teaches privacy, digital wisdom, cybersecurity hygiene, and online ethics.

1. Develop or adopt a short annual training covering passwords, phishing, safe online behavior, and privacy for congregants and staff.
2. Use real-world examples of scams or compromises that have affected churches.
3. Integrate digital wisdom topics into youth and adult discipleship settings (e.g., classes on screen time, online speech, and discernment).

Leaders participate in ongoing training in virtue ethics, humility, boundaries, and spiritual formation related to integrity.

1. Host yearly retreats for elders and pastors focused explicitly on themes like power, vulnerability, and repentance.
2. Study case examples of church failures and discuss how similar failures could be prevented in your context.
3. Encourage leaders to develop personal rules of life and accountability structures, and revisit them annually.

Members are taught about transparency, trust, digital habits, and safety culture as part of discipleship.

1. Offer periodic classes or sermon series on topics such as “Healthy Authority,” “Safe Community,” and “Wisdom in a Digital Age.”
2. Provide practical handouts or guides for families on privacy, online conduct, and how to report concerns.
3. Integrate brief safety and integrity reminders into regular communication (e.g., monthly email segments or bulletin notes).

All personnel receive updated training on policies, legal obligations, and safety protocols.

1. Schedule a yearly “Policy & Safety Update” for staff and key volunteers that reviews key policies and highlights any changes.
2. Provide short quizzes or acknowledgement forms to confirm understanding and attendance.
3. Use real incidents (with identifying details removed) from your church or others as case studies to reinforce why policies matter.

After major issues, the church conducts post-incident analysis and provides targeted retraining.

1. After every serious incident (e.g., boundary violation, data loss), convene a confidential review with key leaders and the safeguarding or integrity team.
2. Identify at least one policy improvement and one training improvement, and assign owners and deadlines.
3. Incorporate these lessons into the next refresh of staff training, safeguarding classes, or digital safety sessions.

The ministry provides safe, anonymous, third-party reporting options.

1. Implement an anonymous online reporting form or partner with a confidential hotline provider.
2. Ensure access to the reports is restricted to the integrity or safeguarding team, not general staff.
3. Publicize the reporting channel in the building, on the website, and in volunteer training materials.
4. Regularly review the channel’s functionality and the promptness of responses.

All allegations or incidents are logged, timestamped, and preserved according to policy.

1. Create a secure incident log (spreadsheet or case management tool) accessible only to a small, authorized group.
2. Record key details: date, reporter (if known), nature of concern, immediate actions, and current status, with explicit categories (sexual, physical, spiritual, emotional, harassment/bullying, financial, digital).
3. Assign each case an ID number and use that ID in all follow-up documentation.
4. Include a brief note indicating whether authorities or external parties were notified.
5. Store the incident log in a system where deletion requires dual authorization and is itself logged.

• Spreadsheet or table-based tool (e.g., Excel, Google Sheets, Microsoft Lists) to maintain the structured incident register.
• Secure file repository (e.g., restricted SharePoint library, secure Google Shared Drive) to store supporting documents, emails, and reports linked to each incident ID.
• Optional: Task or ticketing system (e.g., Planner, Trello, Asana) to track follow-up actions and deadlines for each case.

• Limit access to the incident log and supporting files to the Integrity & Safety Team and other designated leaders; do not store these on general shared drives.
• Require MFA and strong passwords for all accounts with access to incident records, and review membership of the access group at least quarterly.
• Apply long-term retention and legal holds for abuse or serious misconduct cases so records cannot be quietly deleted or lost.

Misconduct or abuse allegations are handled by trained responders who are not part of the implicated leadership chain.

1. Write a protocol stating that credible allegations against leaders automatically trigger an external or independent investigation.
2. Identify one or two external organizations or professionals in advance who can perform investigations.
3. Ensure the accused has no role in choosing or directing the investigator.
4. Inform survivors who chose the investigator and how conflicts were screened; allow them to raise objections, which must be reviewed by the independent oversight board.
5. Document investigative steps and preserve findings in a confidential archive.

The organization follows a documented, timely, survivor-first response for moral, financial, or digital breaches.

1. Develop a step-by-step incident response plan that begins with immediate safety and pastoral care for those harmed.
2. Set explicit timelines for serious cases (e.g., survivor contacted within 24–48 hours by a trained responder; mandatory reporting decisions documented within 72 hours; oversight board convened within 7 days for major cases).
3. Include legal reporting obligations, communication requirements, and the role of the board in decision-making.
4. Provide survivors with regular status updates (e.g., monthly or at a mutually agreed cadence) until matters are resolved.
5. After each major incident, review how closely the response followed the plan and adjust the plan as needed.

Survivors are notified appropriately; the congregation is informed of the existence of investigations into senior leaders to prevent “secrecy” from being disguised as “confidentiality.”

1. Define “Public vs. Private”: Establish a clear distinction between personal counseling or pastoral care details (private) and the employment/ministry status of a leader (public). For example, statements such as “Placed on leave pending investigation,” “Removed from ministry,” or “Restrictions imposed on ministry role” are public governance information, not private pastoral information.
2. Survivor-First Notification: Whenever legally and ethically appropriate, require that survivors or those harmed are informed before any public announcement is made. Provide them a copy of the planned statement and an opportunity to raise concerns about tone, accuracy, or unintended harm (without giving them the burden of authoring the statement themselves).
3. Clear Communication: Ensure that notifications are clear, compassionate, and free of minimizing language. Avoid vague euphemisms such as “moral failure” when “abuse,” “harassment,” or “misconduct” are the accurate legal or ethical terms. Where law or counsel limits detail, say so plainly rather than hiding behind generalities.
4. Documentation: Document exactly who was notified, what was communicated, and when. Keep copies of written statements, emails, and scripts used for verbal announcements in the incident file associated with the case.

The ministry documents remediation steps, including policy changes and leadership adjustments.

1. After an investigation, produce a confidential summary for the board describing the findings and required changes.
2. List specific corrective actions (policy edits, leadership changes, training updates) with assigned owners and deadlines.
3. Track completion of corrective actions and report progress back to the board regularly until complete.
4. Where appropriate, document and communicate survivor-facing remedies (public apology, restitution where appropriate, restored opportunities) in addition to internal procedural fixes.

Clear criteria for discipline, removal from ministry, and optional restoration with safeguards.

1. Define in policy which kinds of misconduct permanently disqualify someone from certain roles.
2. Outline possible restoration paths for lesser offenses, always with significant time, counseling, and external accountability.
3. Ensure any restoration plan includes strict boundaries, reduced authority, and clear communication to appropriate parties.
4. Review each restoration case periodically and adjust or terminate the plan if risks remain high.

The church maintains and periodically publishes anonymized summaries of resolved incidents and corrective actions.

1. Maintain a confidential tally of categories of cases handled each year (e.g., boundary concerns, financial questions, policy violations).
2. Once a year, prepare an anonymized summary for members that indicates how many issues were reported and broadly how they were addressed.
3. Include any major policy improvements that resulted, reinforcing that reporting leads to change.
4. When third-party investigations are commissioned, the default is to publish at least a public summary of findings (with survivor identities protected). Any decision not to publish must be documented with specific reasons and reviewed by the oversight board and an external advisor.

An outside organization conducts yearly integrity, safety, and governance reviews.

1. Invite an external ministry partner, consultant, or denominational body to conduct an annual review of governance, safeguarding, and integrity practices.
2. Provide them with access to policies, selected case files, and training materials (with appropriate confidentiality safeguards).
3. Request a written report highlighting strengths, weaknesses, and prioritized recommendations.
4. Integrate their recommendations into your corrective action tracking process.
5. At least every 3–5 years, ensure the external reviewer is structurally independent of the local leadership (e.g., outside the diocese or organizational chain) so that patterns of failure by senior leaders can be named.

Legal counsel is used to pursue truth and protection, not to conceal systemic failures. Non-Disclosure Agreements (NDAs) and non-disparagement clauses related to misconduct are strictly prohibited.

1. No NDAs: The ministry explicitly prohibits the use of NDAs or “non-disparagement clauses” in any settlement, severance, or departure agreement related to abuse, harassment, exploitation, or other serious misconduct. Severance or assistance may be provided as a matter of mercy or fairness, but never in exchange for silence or restriction of truthful speech.
2. Ethical Privilege: Adopt a written principle that attorney–client privilege is never invoked to hide patterns of abuse, negligence, or criminal activity from the congregation, from appropriate church authorities, or from civil authorities. Privilege may be used to protect sensitive survivor details or legal strategy, not to suppress the existence of wrongdoing.
3. Investigation Transparency: When commissioning external investigations, specify in the engagement letter that the church’s intent is to release a public summary or report, redacted only as needed to protect survivor safety and privacy (and minors). Communicate this intention to the congregation and to survivors early in the process.
4. Withholding Reports: Any decision to withhold an external report, delay its release, or publish only a highly restricted summary must be documented with specific reasons (e.g., active criminal proceedings, explicit survivor request). That decision must be reviewed by the independent oversight board and, where possible, at least one external safeguarding or legal expert not directly tied to the implicated leadership.

The organization will not provide misleading or “clean” references for individuals who resigned under investigation or were removed for cause.

1. Adopt a written policy that the church will answer reference questions truthfully regarding safety, eligibility for rehire, and whether the person left while under investigation or after substantiated misconduct.
2. Centralize reference responses for former staff and key volunteers to a designated officer (e.g., board chair, HR deacon) rather than allowing informal references.
3. Require that any request to give a “neutral” or “positive-only” reference after serious concerns have been raised is denied and logged as an attempted policy exception.
4. Train leaders that “passing the trash” (quietly sending a problem leader to another church) is itself a safeguarding failure and must never be done.