By Karen Schuler, CFE, IGP, IGP and Taryn Crane, PMP

Notwithstanding the EU General Data Protection Regulation (GDPR)—the most sweeping change to data privacy in 20-plus years, with extraterritorial scope that went into effect on May 25, 2018—there are numerous privacy laws that are often  overlooked.

Earlier this year companies like Facebook have come under fire for privacy violations while Congress is looking for ways to protect the privacy of American citizens. These movements are just the beginning of widespread change that we expect for privacy laws over the next several years.

As discussed in the Spring 2018 issue of the Nonprofit Standard in an article entitled “The Integration of Data Privacy into a Data Governance Program,” nonprofits can’t afford to ignore regulations like GDPR as many organizations are impacted due to their global reach. But now that May 25, 2018 has passed and GDPR officially went into effect, it’s time to think about your holistic privacy program—or implementing a Privacy Operational Life Cycle that helps your organization keep employees apprised of new privacy requirements, embraces recordkeeping and sound data protection practices while offering enhanced data privacy for your donors, employees, and constituents.

Think about these areas to develop a sound Privacy Operational Life Cycle:

• Develop an organizational privacy vision and mission, and document the program’s objectives.
• Identify legal and regulatory compliance challenges that are relevant to your organization.
• Locate and document where personal information resides throughout your organization or across third parties (e.g., hosting vendors, outsourced applications).
• Develop a privacy strategy that identifies stakeholders, leverages key functions throughout the organization, creates a process for interfacing within the organization, and outlines a data governance strategy.
• Conduct a privacy awareness workshop to highlight to the entire organization the goals of the program.
• And, finally, develop a structure for your privacy team with a governance model that is clear and consistent for the size of your organization.

The above-mentioned items are a starting point, but there is more to do after you develop your initial structure and communicate the purpose of the program. Below is a guide to developing the Privacy Operational Life Cycle.

Develop and Implement a Framework

The framework should provide you with an implementation road map that outlines your privacy procedures and processes. Developing a framework helps you identify high risk areas, reduce data loss, and provide a measurement against compliance to laws, regulations, and standards. Frameworks that provide initial guidance include the AICPA and CICA Privacy Framework, ISO 17779/BD7799, or OECD Privacy Guidelines.

Develop Privacy Policies

Once you have selected an overall framework to govern your privacy program, look at your existing policies, procedures, and guidelines. During this phase you should evaluate the goals of the privacy program and determine what business initiatives are the baseline of the privacy program. Just remember, as you look to update policies, procedures and guidelines for the organization, ensure that there is a mechanism to enforce these policies. And don’t forget to review the current website privacy notice. This has become a critical target of privacy watchdogs to ensure that you can fulfill the commitment of the statements in that notice.

Develop Mechanisms to Measure Performance

Within your privacy life cycle, it will be important to develop the ability to measure performance of the program. To implement metrics, consider your audience—will it be the board, external parties, regulatory agencies, or the staff? Determine how you will report on these metrics that you have identified. Decide what measurements you are interested in sharing with your audience and how this could impact funding positively or negatively. Next, determine how you will measure progress toward the organization’s business goals and objectives. Do your best to limit improper metrics that do not support the organization’s mission. And finally, determine the best methods to collect the data you need. Your goal is to demonstrate compliance while establishing the privacy program’s return on investment (ROI).

Develop the Privacy Operational Life Cycle

The Privacy Operational Life Cycle should consider measurement, improvements, and the ability to sustain and support the program. To effectively do this, develop an operational life cycle that considers the assessment, protection, governance, and response phases. Some tips to consider for each aspect of the life cycle:

• Assess – embed Privacy by Design (PbD) into the design of technology, business practices, and physical design of new programs. In addition to PbD, regularly evaluate third-party compliance, as well as internal program compliance.
• Protect – ensure that information life cycle management (ILM) is built into your data protection strategy. While it is important to ensure that your data protection strategies mitigate the risk of a data breach, you need to consider sound ILM practices to promote the organization’s data protection strategies. Remember, the less you have, the less you have to protect.
• Govern – while it’s important to be able to evaluate and protect information, you also need to monitor, audit, and communicate the privacy framework. Develop a strategy and operational procedures that allow your organization to maintain a transparent and visibly sound program. And don’t forget to monitor regulatory changes that impact your organization. Develop ongoing processes that allow you to measure the privacy program’s effectiveness.
• Respond – traditionally privacy and security teams viewed their ability to respond as responding to a security event. Today that has changed – it’s much broader and requires the ability to respond to complaints, requests for information, corrections of inaccurate data, clarifications of privacy matters and access requests. When developing your response capabilities, take into consideration these items in addition to your ability to respond to a security event.

Holistic privacy program development is the wave of the future, especially in a competitive world where data is at the core of every business or organization. Establish a program that fits your organization to ensure that you remain ahead of the curve and out of the sight of regulators.

This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Summer 2018). Copyright © 2018 BDO USA, LLP. All rights reserved. www.bdo.com

By Joe Sremack, CFE

Robotic process automation is helping both for-profit and nonprofit organizations do more with less. Robotic Process Automation (RPA) is transforming the way organizations across different industries do business. It allows organizations to automate certain types of work processes to reduce the time spent on costly manual tasks and increase efforts to deliver mission-critical work. RPA is helping organizations do more with less, helping them automatically process and store data without having to perform manual data entry, generate financial status reports without spending considerable amounts of time in Excel, and execute outreach campaigns without spending hours in a customer relationship manager (CRM) program. These types of optimizations have been made a reality through RPA, with organizations just beginning to scratch the surface of the possibilities.

RPA Defined

RPA is the use of software that automates manual tasks. It eliminates the need for employees to perform repetitive tasks by integrating software that performs the same set of steps the employee does. The software is designed to perform routine tasks across multiple applications and systems within an existing workflow. It performs specific tasks to automate the transfer, editing, reporting and/or saving of data.

At least some portion of white collar employees’ time is spent on repetitive computer tasks. That includes the CEO’s time–about 25 percent of the CEO’s tasks could be automated  and RPA can help achieve this. Repetitive work typically involves the collection of data from one or more sources, performing a data manipulation—such as applying data formulas in Excel—and then exporting or saving the information to a readily available location. These are just some of the kinds of work that RPA automates.

One of the main differentiators of RPA from other solutions is that it performs tasks that do not require deep cognitive capabilities. RPA is the automation of a process, but the software is not improved or changed based on the inputs or its results. This is different from machine learning or artificial intelligence (AI) software, which can learn and improve based on the continuous evaluation of its inputs and results. Instead, RPA software simply repetitively performs the same task(s) based on business requirements.

RPA provides several major benefits. The most immediate impact from RPA is that routine tasks are performed in an error-free, consistent manner. RPA also provides an audit trail of work performed, which can be valuable in regulated industries or when the output of a process produces an unexpected result. In addition, RPA solutions can be configured to identify anomalies or red flags that may not be identifiable to an employee.

The long-term benefits are also valuable. Perhaps the most important benefit is increased job satisfaction. When employees are asked which parts of their jobs they dislike the most, the tasks they list usually involve a type of manual work that is a good candidate for an RPA solution. ^[1] This increased job satisfaction results in a better work environment and more productive employees. Moreover, the results of the formerly manual processes become better and the cost savings can be recognized.

Applications of RPA

The list of potential uses for RPA is robust. Most manual computer-based tasks performed by employees can be automated with RPA. RPA is often used for back office functions but can extend to customer relationship management, data analysis, and other key areas that involve manual work.

The best way to understand RPA is to learn about the kinds of problems RPA can solve. For example, an RPA program–called a “bot”–can be used to manage customer email inquiries. The bot monitors a sales inquiry email account and automatically imports the information into the CRM, sends alerts to the sales team, sends an automated message to the customer, and imports the information into other systems that are used to track employee availability and sales campaign successes. This works well when timely responses to customers are required.

An example of a nonprofit-specific use of an RPA solution is the management of fundraising campaigns. In many organizations, this process involves pulling past donor information, generating marketing materials, contacting past and new donors, collecting donor payment information, and entering it into an accounting software, updating financial information, and updating a donor database. Most of these steps are performed manually, slowing down the process and introducing the risk of error. With an RPA solution, most of this process can be automated, allowing the organization to spend more time interfacing with donors and working on other mission-critical tasks.

The following is a chart that lists several types of tasks that can be automated by department in most organizations:
HR	New employee forms	Employee termination documentation	Employee benefits
Finance / Accounting	AR/AP tracking	Financial reporting	Vendor management
IT	New user setup	Employee termination	Inventory tracking
Sales / Marketing	Email sales campaign management	Outreach campaigns	CRM automation
Others	Executive analysis reports	Regulatory compliance documentation	Inventory management

 

While the list above appears to be limited to single-department tasks, many of these are cross-department tasks in nature. Consider a process where the finance department needs to work with IT and sales to request multiple data sets, get input, and share the results. Rather than emailing those departments to pull the same data set every quarter to develop an Excel-based report, an RPA solution automatically performs the data pull and generates the entire Excel report. This not only saves time and effort across the various departments, it also enables the finance team to spend more time doing meaningful analysis of the reports and develop projections and deeper insights.

RPA and Nonprofits

RPA is well-suited for solving problems encountered by nonprofits since they face many of the same challenges associated with reducing the time employees spend on manual tasks as for-profit organizations. Whether the work involves manually entering accounts receivable and accounts payable data in accounting software, generating compliance reports, or performing outreach campaigns, time is being spent by employees on less valuable work. Employees would agree that they would rather work on mission-specific tasks rather than repetitive tasks.^[2]

• Several examples of the types of nonprofit processes an RPA solution works well with are:
• Pledge campaigns.
• Recurring donation management.
• Digital and print marketing campaigns.
• Outreach campaigns.
• Government and regulatory issue tracking.
• Volunteer management.

Service providers and software developers have begun offering solutions geared toward nonprofits. Several major RPA software developers have recently launched commercial software solutions specifically designed for nonprofits, and service providers who understand the nonprofit sector are able to implement tailored RPA solutions.

Implementing RPA

RPA solutions can be implemented in several ways. The most common method for organizations is to implement individual bots. These are single programs that perform tasks automatically. The bot can be accessed through a desktop or web-based application. The second method is to implement a server that controls a set of bots within a department or across the organization. The server-based approach is a more robust system that is typically employed when there are a larger number of bots utilized throughout an organization that need to be managed centrally, whereas the individual bot method is appropriate when only several bots are used.

The cost of an RPA solution, a common concern for any organization, depends on these factors:

• Complexity
• Number of bots.
• Time to develop and implement.
• Level of customization.

An enterprise-wide RPA solution of hundreds of bots can be expensive. A smaller implementation with only ten 10 bots or less, however, can be implemented relatively inexpensively and within a short period of time. Companies who sell RPA solutions often have a suite of pre-built bots that can be quickly customized and implemented without requiring a new bot to be developed. As the RPA market matures, the cost will continue to decline.

The key steps for determining whether an RPA solution is appropriate are to:

• Identify where most time and effort is being expended on manual tasks.
• Identify bottlenecks of key processes—specifically identifying manual tasks.
• Implement a pilot program to tackle a high-value discrete task that can have immediate value.

RPA is an exciting new way for organizations to improve their operations while also improving employee job satisfaction. RPA solutions have become a widely adopted strategy for enhancing various parts of organizations’ operations by allowing employees to focus their time and efforts on more high-value and meaningful work. It has helped organizations do significantly more with less while reducing errors, increasing workforce job satisfaction, and better ensuring that deadlines are met. These benefits have been possible with relatively small capital investments and IT resources. While RPA is not applicable to all types of work, it is a good option for reducing hours spent on routine, manual tasks.

BENEFITS OF RPA

• Error-free, consistent results
• Employees can be utilized for higher‑value work
• Increased job satisfaction (not spending time doing repetitive, low‑value work)
• Faster, more predictable delivery timing
• Documented trail of work performed
• Identify anomalies or other red flags

 

^[1]    Gartner Research, “Role of Machine Learning in Accelerating Automation,” 2016.

 

^[2]    L. Willocks and M. Lacity, Service Automation: Robots and the Future of Work 2016, 2016.

This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Summer 2018). Copyright © 2018 BDO USA, LLP. All rights reserved. www.bdo.com

By Andrea Wilson

The “burden” of indirect costs remains one of the top concerns for both nonprofit organizations and their donors. Faced with limitations on indirect cost recovery from private foundations, shrinking federal dollars, and the increasing costs of program oversight, organizations grapple with a number of serious and conflicting concerns in this area. How do organizations adapt to the changing regulatory and market environment in which they operate? While indirect costs are necessary expenses toward the management and viability of the organization, many donors view such costs as a “tax” to their sponsored programs, and most organizations struggle to overcome that preconception.

What are indirect costs and why is there so much discomfort and stigma around cost recovery?

One significant challenge in getting key stakeholders to understand the indirect cost paradigm is that there is no specific list of costs that are required to be indirect. This means that the organization itself defines which costs are designated as direct and indirect, based on its business structure, programs and other factors. While we generally see expenses such as executive wages, home office facilities and general accounting in the indirect cost category, there is no single method of defining which expenses should be included. Further complicating the discussion is multiple pools of costs, such as overhead and general and administrative (G&A) that organizations use to accumulate and allocate costs. The term “overhead” is generally used to describe the costs associated with maintaining the organization while G&A costs are typically those associated with operating and managing the programs. Collectively these make up indirect costs to the organization.

Direct expenses, on the other hand, are all those that can be connected to an ultimate cost objective, i.e., programs. Organizations can count direct and indirect costs differently even if they provide relatively similar services and are of relatively similar size. For example, some organizations treat the costs associated with procurement management as a direct expense while others include such costs as an indirect cost in their general and administrative rate, and some even have a separate “subcontractor and materials handling rate.”

This very simple, yet real, example can have significant consequences on the underlying indirect cost rate of the organization. In the first instance, where procurement is a direct charge to the program, the indirect cost rate goes down, but the total direct charges increase. In scenario two, the reverse is true, direct expenses go down and indirect expenses increase. Yet in the third scenario, when procurement is treated as a separate pool, the overall overhead rate goes down with the inclusion of a marginal subcontractor and material handling rate. These examples illustrate that the same exact cost, in absolute terms, can be treated at least three different ways, each with differing impact to the indirect cost rates of the organization.

There is no doubt that the complexity and diversity in methodologies contributes greatly to the stigma surrounding indirect costs. In budget preparation and presentations to donors inclusive of federal agencies, indirect costs are typically presented as a rate, i.e., percentage of cost. From a donor’s perspective, there is a great deal of scrutiny involved in analyzing the direct expenses of an award, and yet at the end of the budget, there is a percent of cost, sometimes substantial, that has very little to do with the intent of the award. Hence, many donors truly believe that indirect costs are a “tax” to programs.

In the U.S. federal context, many organizations have a cognizant oversight agency that reviews the organization’s indirect cost rate annually. However, the group that manages this rate is different from those that review and award grants and contracts. Organizations with complex federal and non-federal donor mixes are tied to their federal indirect cost rates for the entirety of the organization, thus making oversight by their private donors nearly impossible. Further, very few private foundations have a verification process of indirect cost rates. Worse yet, many donors put caps on indirect cost recovery, or negotiate a rate less than the true indirect recovery rate of the organization, thereby creating a starvation cycle for organizations. If the organization is federally funded, this could also result in a non-compliant application of their indirect cost methodology.

How do organizations overcome the stigma?

• Implement cost-cutting measures to reduce indirect costs serves the immediate purpose of lower indirect cost rates, often making organizations more competitive on programs.
• Reconsider your structure. Many sophisticated organizations have several segments with varying rates, or multiple consolidating entities enabling them to have multiple rates to comply with the varying programs’ needs and donor requirements.
• Consider adding in service center allocations that move costs from your indirect costs to your direct expenses. For example, if an organization adds an IT service center which is allocated based on headcount, the cost of IT is moved out of the indirect costs and is moved to the direct expenses of the programs. The impact reduces the overall indirect cost rate.
• Look for different methodologies with which to allocate your costs. Some organizations have varying methods for more equitable distribution of indirect expenses, which serves to help donors evaluate indirect costs. For example, instead of allocating indirect expenses based on program expenses, look for a more appropriate driver based on your programs, such as direct beneficiaries, etc.
• Add additional notes to your budgets and requests for funding. While several donors have ceilings on indirect expenses, many do not. Do not simply apply your rate, but rather explain its composition and application. Let donors know these are real expenses and explain why they are necessary to the organization.

This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Spring 2018). Copyright © 2018 BDO USA, LLP. All rights reserved. www.bdo.com

By Lee Klumpp, CPA, CGMA

The answer to the question is a complex one, but each individual statement is equally important especially when used in conjunction with the footnotes. However; before we jump into explaining why each statement is important we must first understand why nonprofit (NFP) organizations are different from their for-profit brethren. NFPs are not owned by shareholders nor do they intend to earn profit to distribute back to shareholders. Instead, NFPs seek to earn revenue to support their program activities which are related to their mission. The mission is the key driver for NFPs, not a return of profit to its shareholders. (See the article entitled “Mission Matters” on page 14.) Financial statements are key components in revealing the financial health of an organization whether NFP or for-profit. An NFP’s financial information can get quite complicated, but if you understand the basics, you can glean vital information from the financial statements and related disclosures.

Nonprofits use four main financial reporting statements: statement of financial position (balance sheet), statement of activities (income statement), statement of cash flows and statement of functional expenses. Three of these statements are similar to for-profit company statements, with the exception that the statement of functional expenses is unique to NFPs because it is an analysis of expenses by both nature and function. Understanding the elements of these statements and how they relate to one another can help you understand an NFP’s financial position and what resources it has available and how the NFP deploys its resources.

Statement of Financial Position

The nonprofit balance sheet is also commonly referred to as a statement of financial position or statement of financial condition. This statement is based on the accounting formula, assets equal liabilities plus net assets. This equation is mirrored on a for-profit balance sheet; however, net assets are replaced with owners’ equity. The balance sheet offers the best overall perspective on the nonprofit’s financial health and stability. In particular, readers evaluate the relationship of assets to liabilities. One of the issues that blur NFPs’ financial statements versus for-profit entities’ is the ability to determine liquidity (working capital) because of donor restrictions on net assets.

The assets on a statement of financial position are classified as either current or non-current if the NFP has chosen to present a classified statement of financial position. Current assets are the most liquid, meaning they can easily be converted to cash in a relatively short period. Fixed assets are non-current since the assets are expected to be available for a term longer than 12 months form the measurement date (year-end). Similar to assets, liabilities are also classified as current or long-term based on the closeness to maturity. Current liabilities include money owed to creditors in less than a year. Long-term liabilities are due in one year or later. Net assets (equity) is the total amount of residual assets remaining in the NFP.

Statement of Activities

Often referred to as the income statement since the term is more commonly associated with for-profit companies and earnings, the nonprofit statement of activities follows the basic formula: revenues less expenses equals the change in net assets. In a for-profit this is referred to as earnings. The nonprofit statement of activities shows the funds coming into the organization less the costs of operating the organization.

An NFP’s revenues, gains, expenses and losses are listed on its statement of activities. Revenue is money earned from an NFP’s normal business operations. The expenses on the statement of activities are the costs associated with earning the revenue. When an NFP sells one of its assets, it can experience a capital gain or loss because this activity is not part of its central and ongoing business activity. Revenues less expenses, plus gains less losses, equals the overall change in net assets. The dollar amount of the change in net assets listed on the statement of activities is also found on the cash flow statement under the operating activities section.

Statement of Functional Expenses

The statement of functional expenses is only used by nonprofit organizations based on the importance of monitoring expenditures. In general, this statement breaks down organizational expenses into common categories. This breakdown helps an NFP track how it spends its money. The statement also shows the breakdown of expenses between program services and support services. One of the reasons nonprofits track expenses is to report on the percentage of funds that go toward programs compared to funds spent on administration costs, such as employee salaries and fundraising.

Statement of Cash Flows

The statement of cash flows is similar to the one used by for-profit entities. The statement of cash flows presents operating, investing and financing activities to show the sources and uses of cash.

The cash flow statement can be presented using the direct method (the preferred method) or the indirect method, which is the one that is most commonly used. The direct method shows in the operating activities section the inflows and outflows related to cash flows provided by and used in operating activities. The indirect method starts with the change in net assets, followed by additions to or subtractions related to changes in the statement of financial positon to adjust the change in net assets to a cash basis. The statement of cash flows is divided into four sections. The first section of the cash flow statement is cash provided by or used in operating activities, which shows the cash flows in and out of the NFP in relation to its mission-related operation. The second section, cash flows from investing activities, shows cash the NFP received from or spent on its capital investments. The third section, financing activities, shows the inflows and outflows of cash related to the NFP’s borrowing activities, which is also listed on the statement of financial position. The final and last section is the supplemental information which presents cash paid for income taxes and interest and the non-cash transactions.

Footnotes

The footnotes or disclosures are just as important as the individual statements. The information in the footnotes allows the reader to obtain more information so they can truly understand the numbers in the various statements. The footnotes provide the accounting policies utilized in preparing the financial statements as well as information about the components of the numbers presented in the financial statements. The footnotes are critical to understanding the statements and should be read in detail.

This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Spring 2018). Copyright © 2018 BDO USA, LLP. All rights reserved. www.bdo.com