Compliance · Not-for-profits
Compliance pressure on not-for-profits.
Donor data, volunteer data, vulnerable-client records, ACNC reporting and funder-driven security questionnaires that have started matching the ones corporate clients send. The compliance burden on a not-for-profit is rarely funded by the grant that comes with it.
What's being asked of you · not-for-profits
The compliance landscape for not-for-profits in 2026.
Compliance pressure on Australian not-for-profits is less regulator-led than in finance or health, but no less real. ACNC reporting, Privacy Act obligations on donor and service-user data, funder-driven security questionnaires from corporate partners and government grant programs, NDIS provider obligations for disability-sector NFPs, DSS funding security expectations for community-services providers: the load adds up quickly even without a single dominant regulator.
The questionnaires arriving from corporate philanthropic partners and government funders are getting more sophisticated each cycle. A 60-seat community-services NFP can receive supplier-assurance reviews from a federal department that ask the same Essential Eight questions a Tier 1 corporate sends its commercial suppliers. The questions do not adjust for sector or budget.
Sensitive client data is the heaviest weight underneath all of this. NFPs working with vulnerable clients (mental health, family services, refugee and migration support, disability) hold information that warrants the strictest Privacy Act handling. The governance expectation around that data is real; the staffing to implement it is typically not. The work is finding the proportionate controls that actually get operated.
What we do · compliance practice
What CCP does for not-for-profits on compliance.
What we do for a not-for-profit focuses on proportionate control. The organisation almost always handles personal information at meaningful scale (donors, service users, volunteers), often including sensitive information in the Privacy Act sense. The governance expectation is real. The staffing to implement it is usually not. We make the controls practical so they are actually operated, rather than documented and ignored.
Practically, this is identity and access that maps to a volunteer turnover rate the organisation actually has, Privacy Act hygiene that stands up to an OAIC enquiry, and funder-questionnaire readiness so grants do not stall on a security review. For organisations running client-management platforms (iCare, Penelope, SupportAbility, and similar), we integrate the security stack around them rather than duplicating what the platform already does.
The cycle is continuous, the way it has to be for an organisation that cannot afford to scramble. Gap analysis against the funder obligations the NFP actually holds, monitoring across the volunteer-turnover-driven access change, remediation when the monitoring surfaces a drift, evidence pipelines that pre-fill the next funder questionnaire rather than starting it from scratch.
We are honest about what nonprofit-sector IT can and cannot afford. The same baseline controls a 100-seat law firm operates may be partially out of reach for a 60-seat NFP without philanthropic IT funding. We name the trade-offs (which controls deliver disproportionate risk reduction for the spend, which can be staged across two budget cycles, where a funder's grant could be redirected to security uplift) so the board can make the call with full information. The stance is not 'build to bank-grade'; it is 'build to defensible'.
The tools and the role · what we bring
The five capabilities most not-for-profits need at the same time, and almost never have running together internally.
Compliance frameworks have converged on roughly the same set of operational expectations. These are the five we run as a service so the framework cycle is a continuing operation rather than an annual scramble.
-
SIEM and continuous monitoring
Log aggregation across your devices, identity, network and cloud services with the alerting that surfaces something unusual while it is still recoverable. The answer to 'are we under attack right now' rather than 'were we under attack last quarter'.
-
Application control
Allowlisting that prevents unauthorised executables from running on managed devices. One of the highest-impact Essential Eight controls and one of the hardest for in-house IT to operate without breaking the business. We run it as a service, including the day-to-day exception handling.
-
Vulnerability scanning AND remediation
Most providers run a scanner and email you a list. We run the scanner and do the labour-intensive remediation work that actually closes the vulnerabilities inside the thirty-day window most frameworks expect. Scanning without remediation is a list of known problems with no closure.
-
Cybersecurity awareness training
Annual training your staff actually complete, phishing simulations that escalate rather than scold, and the completion reporting your compliance officer can show to an auditor or insurer. The training is a compliance artefact and a real behaviour-change tool, not a tick-box.
-
vCIO function
Strategic IT advice, framework gap analysis, board-level reporting, risk register maintenance, vendor management oversight. The compliance-aligned strategic role most firms our size cannot resource internally. See /services/vcio/ for the standalone offering.
More on the vCIO offering
The risk that matters · for not-for-profits
The compliance risk that actually breaks things.
The risk we see hit NFPs hardest is the funder grant or corporate partnership that survives a smooth questionnaire response but cannot survive a breach event a year later. When a major funder asks for evidence that the controls answered yes were operating in the relevant period and the evidence does not exist, the partnership is at risk along with the funding. The honest answer up front ('here is where we are, here is the plan to close the gap, here is the timeline') almost always preserves the relationship better than a confident yes that does not survive scrutiny.
Where it fits · managed IT engagement
Where this sits inside a managed-IT engagement.
The Client Security Baseline is the floor for every CCP client, including not-for-profits. Where the organisation has specific funder obligations or regulatory overlays (DSS funding security expectations, NDIS provider obligations for disability-sector NFPs, state-funding security clauses), we handle those per engagement against the same baseline.
Compliance is an overlay, not a tier in isolation. The Managed IT + Compliance plan exists for NFPs with continuing funder and regulator obligations and a regular questionnaire calendar. NFPs with simpler obligation surfaces can run the baseline plan and add specific overlays where a funder or insurer requires them.
What we do not do: program design, the service-delivery decisions, the funder relationship at the program level, or the board-level governance reporting. We provide the IT and compliance machinery the program work and the board reporting rely on to be defensible, alongside the people who own the program substance.
Common questions · not-for-profits
The framework questions not-for-profits ask us first.
-
Can you help us meet funder-driven security questionnaires?
Yes. Funder questionnaires from corporate partners, government departments, and philanthropic foundations are typically scoped to Essential Eight controls plus identity, logging, and incident-response items. We pre-fill what we can from the live control environment, name the gaps honestly, and help you stage remediation so the next questionnaire is straightforward. -
What about ACNC compliance and reporting obligations?
ACNC obligations sit largely outside IT (financial reporting, governance standards, beneficiary statements), but the ACNC has signalled that cyber resilience and data-handling expectations are part of the governance picture. We make sure the IT side substantiates whatever the board's governance reporting claims about data security and incident response. -
Do you handle Privacy Act obligations around donor and service-user data?
Yes. Donor data carries Privacy Act obligations, and service-user data for vulnerable-client NFPs often includes sensitive information requiring stricter controls. We configure access controls, retention rules, and breach-notification readiness against the APPs, with overlays for the sensitive data categories the organisation handles. -
Can you help with NDIS provider obligations for disability-sector NFPs?
Yes. NDIS providers carry obligations under the NDIS Quality and Safeguards Commission framework, including participant data handling, worker-screening data, and incident reporting. We configure the systems against the obligations and document the controls so an NDIS audit can see them in operation. -
What about DSS funding security expectations?
DSS-funded community services carry security expectations attached to grant agreements that have tightened in recent years. We map the obligations in your specific funding agreements and configure the controls and evidence pipeline to match them. -
Can we afford compliance on a not-for-profit budget?
The Client Security Baseline included in every CCP plan covers most of what a funder questionnaire actually expects. The compliance-overlay work is additional spend, but we are honest about which controls deliver disproportionate risk reduction for the dollar and which can be staged across budget cycles. The stance is build-to-defensible, not build-to-bank-grade. -
Do you help us answer corporate-partner due-diligence questionnaires?
Yes. Corporate philanthropic partners now run vendor due diligence on the NFPs they fund, especially for partnerships involving co-branding or shared service delivery. We have completed these questionnaires for NFP clients; we fill them in with you so you understand what was answered and why.
Next step · start with the evidence
Find out where you actually sit.
The Essential Eight self-assessment takes about ten minutes and gives you a branded PDF report you can hand to your compliance officer, your insurer, or your board the same day. If you want to confirm we're the right shop for the work, the fit check comes next.