Building a culture of nonprofit compliance at Candid
Here’s a familiar scene: your nonprofit organization just won its first big grant, and you’re ecstatic. But before receiving funds, you need to show you’re legally registered, governed by a board, and have solid financial management policies. On top of that, there’s a lengthy contract to review and sign. It’s a lot of due diligence and compliance work to handle.
At Candid, we can relate. We’ve had our own share of nonprofit compliance undertakings over the years.
In 2023, Candid completed our first external SOC 2 audit, a collaborative effort across our administrative teams. For background, SOC 2 is a framework for organizations offering information and technology services (e.g., software, business intelligence, data storage, financial reporting) to ensure they can operate smoothly. Now that we’ve done our audit (at least until next year), I’m taking a moment to reflect on key takeaways from our compliance initiative that all nonprofits can benefit from.
Whether you’re preparing for a financial audit, creating a new employee policy, or gathering materials to establish a new nonprofit, your compliance efforts are likely to succeed if you have the whole organization on board. In this blog, I’ll share lessons learned from our SOC 2 audit to help you build a culture of nonprofit compliance.
Compliance takes collaboration
One key takeaway from our SOC 2 audit is that effective nonprofit compliance requires collaboration. It takes a village to get ready for a large-scale effort like our recent audit. For example, we tapped resources from all parts of Candid—from facilities to product managers—to collect and develop necessary materials and documentation. Each team played a role, whether big or small, in supporting this work.
To help your nonprofit succeed in its compliance efforts, you need awareness and support from all levels of your organization, from board members to interns. Before embarking on your compliance activity, take a moment to identify your team of compliance superheroes who can help share the responsibility and lend critical support.
Avoid assumptions—test iteratively
A saying I’ve always lived by is, “You don’t know what you don’t know.” This couldn’t be truer when it came to our recent compliance effort.
Our SOC 2 audit required us to refine our policies and plans for responding to incidents or unexpected events. It would have been easy for our core team to come up with policies ourselves. But, instead, we relied on others to provide feedback on what we were doing well, as well as which policies needed improvement. We also leaned on teams across Candid to refine and test these procedures.
As you undertake this work, avoid making assumptions to ensure outcomes reflect your organization’s needs. Talk to your teams directly to assess where you stand on compliance. For example, if you’re a research organization, learn about your studies to identify applicable regulations. Similarly, if you’re developing a new travel policy, talk to your employees to understand their work travel needs.
Don’t let your policies gather dust
It’s a waste of effort to develop policies if no one uses them or even knows they exist. Once you’ve created your policies and documentation, be sure to share them, so they get used!
At Candid, we tapped into multiple ways to internally share our SOC 2-related policies. For example, staff can access policies through our intranet, and we refer to these resources regularly. We also communicated new or updated policies at organization-wide town halls with information on where to find them.
Lastly, revisit your policies annually to ensure they reflect your nonprofit’s requirements and communicate any changes with all staff.
Always keep an eye on the big picture
The final lesson we learned is the importance of seeing the big picture. We spent over a year getting ready for our SOC 2 audit. This included countless hours ironing out details like the wording of certain policies or processes for vendor reviews. While doing so, it could’ve been easy to lose sight of why we were doing this in the first place.
Ultimately, we avoided this common nonprofit compliance pitfall. In fact, our SOC 2 efforts helped Candid identify process gaps and develop plans to address them. In the end, this massive effort allows us to operate better. It strengthens our data security and brings efficiency to the due diligence requests we receive from our funders, clients, partners, and others.
Whether you’re poring through pages of nonprofit registration forms, walking an auditor through financial transactions, or sitting through hours of government contract trainings, be sure to take a step back and identify how your compliance work helps your nonprofit achieve its mission. By bringing compliance back to your mission, you help bring everyone onboard. And that’s what building a culture of compliance is all about.
Kate, Digital Communications Manager, Candid says:
We aren't able to advise this specific situation. We recommend you seek expertise from someone or an organization in your area.
Joset Roberts says:
We are in foreclosure litigation. The State/HCD gave us a grant in 2009 to add on to our building. The note states that if we were serving the same homeless/transitional people after 7 or 10 years that the principal and interest would be forgiven. HCD chose not to, started the foreclosure and on 10/11/23 the judge stated we proved that HCD ... "was in breach of contract and breach of the implied covenant of good faith and fair dealing." Now, HCD is going to ask for us to give a deposition...but instead has turned the Franchise Tax Board (FTB)on us to ask the same questions over and over. Can you help us with answers to FTB or should we take it to the media?