October 2019 – Nonprofit Auditor

Endpoints are the Front Line in the Battle for Effective Cybersecurity

Endpoints are the “ends of the network” – your computer, mobile device, internet connected devices etc – we (people, devices, bad actors) interface with endpoints to connect to computing networks, the internet and cyberspace.

I like how the article below uses a comparison to the game of chess to reemphasize the important role endpoints play in effective cybersecurity. To the chess novice, pawns are many and dispensable, like endpoints are many and cost little relative to the value of information on networks. No, those endpoints and the trends in their use are foundational to your cyber defense.

One more point, data is created and transformed at endpoints, and in my view it is best to think of data as the ultimate endpoint. So really, start you cyber security plans with your knowledge of data and data governance — donors, employees, volunteers, clients (beneficiaries), partners, collaborators, vendors.

Endpoints are the Front Line in the Battle for Effective Cybersecurity

Endpoints are the Front Line in the Battle for Effective Cybersecurity

— Read on securityboulevard.com/2019/10/endpoints-are-the-front-line-in-the-battle-for-effective-cybersecurity/

Private Cloud vs Public Cloud Security Challenges

Private Cloud vs Public Cloud Security Challenges

Private Cloud vs Public Cloud Security Challenges

— Read on securityboulevard.com/2019/10/private-cloud-vs-public-cloud-security-challenges/

Nonprofits should consider internet isolation cloud solutions in their IT security designs

Sharing below a nice article on internet isolation cloud solutions as a paradigm for implementing security.

A boundary-less IT security defense architecture (design) is definitely one that nonprofits should consider. And the reason for this is business necessity.

Nonprofit business architectures (designs) continue to require operational and even strategic collaboration and partnerships with a variety of global and local partners. These partners are all over the world and in some cases include national governments. The data nonprofits handle includes that of vulnerable and insecure populations. To operate effectively with such populations, nonprofits must maintain relationships of trust with these clients. The trust must in turn be supported by robust data stewardship and security practices, including regulatory compliance regimes. This is because for nonprofit enterprises to be effective today and looking ahead into the future, their sensitive data will need to be shared more often. They will be more exposed to partners having different IT capabilities and a amyriad IT security postures, including no security capacity.

Nonprofit IT security designs must follow the direction of their business designs or fail to be effective in business environments and relationships they must support.

Let me know what you think of the article.

securityboulevard.com/2019/09/internet-isolation-cloud-introducing-a-new-paradigm/

Managing project start-up delays caused by donors

Some nonprofits may indeed be miracle workers, if we consider some of the results and outcomes they achieve in the world’s most difficult implementation environments. They are not magicians though, they need resources to do work. As a nonprofit auditor, one cause for underachievement of project results that I hear implementers cite is donor caused delays at startup. How frequent is the issue? I suspect it happens often enough and has been a problem for long. It is particularly important with the larger public donors. These donors fund the big multi-million dollar projects that nonprofits and their clients (beneficiaries) count on for impact at scale and for sustainable change. It is true that there are always two sides of a story but because of enormous power of the big donors I think we should expect more. As the Peter Parker principle goes: “with great power comes great responsibility”. Big donors must do a better job with timely authorization and funding of project startups!

How much do delays in launching projects cost? I suspect a lot. Impacts that come to mind include delayed and poorly timed responses to client needs (some life saving), financial and operational disruptions for resource constrained nonprofits and higher un-reimbursable cost burdens on implementers?

What can nonprofits do about this? Most nonprofit implementers seem resigned to treating this problem as “an operating constraint”, a hurdle they must deal with to do their jobs. They may well be right in their approach. However I am not convinced their approach is fully informed, in terms of the costs they wind up bearing and on their ability to exact better performance from donors. Often the donors still expect the same deliverables under the funding terms. Nonprofits should not consider themselves helpless in the matter. They can and should fight back!

Let’s see, do nonprofits analyze the effects of delayed funding within their businesses to understand which opportunities and donors to go for; what financial dispositions to take and the feedback and awareness raising to provide to donors? Do they know the types of projects where delays are more likely to be problematic, in what locations, with which client populations? Do they know what implementation models are more susceptible to the impacts of such delays, direct implementation or through other actors? Do they know what fund (award) administration strategies work best to mitigate underachievement of results in such instances and do they measure whether their staff know and adopt them? Do they know when to engage their donors on cost or no costs extensions and on other appropriate tactical responses? Do they have a general sense of how the results of projects that are authorized on time compare to those that are delayed. Do they know what impact project extensions have on expected the “value for money”? How about impacts on nonprofit volunteers and on clients?

What can donors do about the delays? Do the donors even understand the impact on their nonprofits partners and more important the missed opportunities to serve clients? Are there any accountability measures donors impose on themselves with regard to such delays and the problems they cause? Are donor agency cultures reflexive of their mandate to get help out to clients expediently and to be in service?

I think more awareness and transparency is the answer to all these questions. Let’s start there. Where I sit as an auditor, I never get a good sense that these questions have are answered. Yet good donor account management, which is a key component of fund management, calls for just this. Nonprofits leaders should require their staff to get a solid grip on the costs and impacts of delays, so they can make better decisions about funding opportunities and take steps to mitigate negative impacts. The leaders should engage donors on greater transparency. They should share the information with donors and amongst themselves. They should study and share lessons on coping with delayed funding. They should consider rating the donors with regards to expedient authorization of funding and not shy from addressing these donor performance issues. Many big public donors have multiple departments and offices, highlighting performance differences in like circumstances may also help. Nonprofits can also use carrots, they should recognize their most consistent donors with awards or simple thank you feedbacks.

Above all, how nonprofits choose to manage their donor’s performance with respect to timely authorization of funding should be deliberate and informed. What are you thoughts? If you are an auditor, have you also come across the donor delayed funding “operating constraints”.

The Merchant of Venice & Internal Audit

Ever wondered who the first internal auditors were? What skills they applied? What enterprises solicited their services and why. Those who know me, know I’m a firm believer in the idea that there is nothing new under the sun. Finding out the history of a profession and it’s evolution often reveals a lot more about the enterprises and stakeholders to whom the profession renders service. Such discovery is the best career advice to give to young people making up their minds on what they want to do.

I’m very often called on to provide introductory primers to audiences of nonprofit implementers on what internal audit is and even on “how to pass the audit”. I love doing it. I reveal novel insides like “auditors are people” and “don’t upset the auditors”. As I do, I sit back in my mind and marvel at audience reactions. You will be surprised how many people don’t know internal auditors are people. I also love giving insides on how to pass audit. It helps me dispel the fallacy that we auditors are some sadist evaluators looking to fail people, on job exams of sorts. All of that wrong on many levels.

One story I often invoke, in part to spice the conversation but equally to remind people of the organic basis for auditing is Shakespeare’s the Merchant of Venice. Imagine it. The people signed up for an internal audit introduction and then get to hear about Shakespeare’s work. So what‘s the connection? If you are like me and had to read the play in middle school, I hope you were as fascinated by “all that glitters is not gold” revelation in Act II, after all, is that not one lesson we all continue to learn in our adult lives and in the practice of audit? We call it professional skepticism today. But that was just the first digression. The play opens with a sad merchant, worried by the faith of his big bet investments. He has in effect placed all his eggs in one basket, in his case, vessels at sea. Another lesson on risk management and a second digression on my part.

The real lesson to draw in my view is what is missing from the merchant’s enterprise – an internal auditor. Many have questioned why Antonio (the merchant) was sad in the opening act of the play, filled with “melancholy”. Was it for his friend embarking on the consuming enterprise of marriage, that would take him away from their time together? Was it for parting away from his goods on vessels at sea? Was it for the unsavory feeling of making exorbitant profits like Shylock, the Semite he abhorred? I say Antonio was faced with a corporate governance challenge, impacting many stakeholders. An internal auditor could have helped him to examine the governance, risk management and control framework for his enterprise and activities. Consider the issues, financial risks of too much debt or loss due to pirates, market/demand risks if he invested in the wrong goods, operational risk if his ship captains failed to navigate safely, hazard risks from the seas, the social scorn from executive remuneration etc. His friends and collaborators tried, in their ways to be auditors of sorts, hinting at risks. He was sad and did not know why because the internal audit profession had not yet been created. Everyone paid dearly for not having auditors.

McDonald’s Starts Serving McTech to Survive in the Modern Age — Any lessons for Nonprofits?

What does it mean that Macdonald is serving McTech? And what can nonprofits learn from this iconic company that feeds 1% of the world’s population? There is much to learn in my view. And not the least of which of course is MacDonald’s ability to connect with people worldwide and deliver the same tasty big Mac!

Let’s see, Macdonald is going back to its roots, it’s not about the tech – that part is just presentation, it’s about customer intimacy, not to be confused with engagement, its intimacy. And what has reminded Macdonald’s management about intimacy, Amazon, it is the modern day wizard at it. Amazon knows their customers and the products/services intimately and matches the two to fit like a hand in a glove. They take the thinking and worry out of it and what you have left is called “delight”, which invariably translates to cha-ching! The feeling builds trust and good brand loyalty, when supported by good delivery – customer journey.

At the height of its dominance, Macdonald understood what those tired parents, coming back from the school game with restless kids needed. It was something, simple, predictable, quick and able to satisfy everyone’s taste buds and to keep everyone happy. It was the “happy meal” together with toys, playgrounds, the homely feeling of eating together in the car. For a while though, Macdonald started focusing on costs, we know the “dollar menu” and on operational excellence, that is cost/quality, also known as “value for money”. That was good and it allowed them to expand worldwide but it started leaving “delight” behind, Five Guys, Chic-fil A and others moved in to take some of their customers.

I hear a lot of talk about nonprofit donors wanting “value for money”. Is that really true? Sometimes I have my doubts and wonder if they just want to be delighted. One of the challenges in nonprofit work is the distance between those paying for the services, the donors and those receiving the services, the clients (check my recent blog post on this). Often donors never get to know who received the services. For this reason, value for money is mostly just an abstract idea to donors, just a hedging mechanism. This is one reason why western donors ignore some of the worst crises around the world, until a western face decries it. Oh no, that is not a judgment on the donors, its just a reflection of the distance between donors and beneficiaries and the nonprofit challenge. Many nonprofits struggle and I know work their hearts out to bridge this distance everyday. It will be nice to see more nonprofits move away from formulating strategies entirely based on achieving value for money and more based on intimacy and doing so on the two ends of their value chain, the donors and the clients (beneficiaries). Digitization and the digital revolution is an opportunity for nonprofits to reframe their value proposition with donors and clients.

Below is a link to the article that discusses Macdonald serving “McTech”. It got me going. Please read and share your views. What is your opinion of nonprofit corporate strategy designs today? How can they leverage digitization and the digital revolution to explore other strategy dimensions?

McDonald’s Starts Serving McTech to Survive in the Modern Age

McDonald’s Starts Serving McTech to Survive in the Modern Age

— Read on longreads.com/2019/10/02/mcdonalds-starts-serving-mctech-to-survive-in-the-modern-age/

Effective nonprofit auditors think of the customers served to understand risks

One of the main reasons running a nonprofit is very challenging is that it is really difficult to tell who the customer is. Without a good sense of who the customer is, it is difficult to define a clear value proposition and to have a sustainable business and corporate strategy. Why the mention of strategy, the most important risks are strategy risks, all others follow from it in my experience. It may not be obvious but I would also add that without this perspective nonprofit auditors may find themselves speaking an entirely different language from nonprofit executives. Very simply put revenue matters, else there is nothing to really talk about.

So who is the nonprofit’s customer?

Is it the donors that provide the resources and funds needed to carryout the nonprofit’s mission? If so what are they getting out of it? Most donors only have a limited understanding of who receives services. Is it the beneficiaries or clients served by the nonprofit’s mission? These clients pay nothing or less than the costs, so in what way are they the customers? Are the communities and local governments whose populations nonprofits serve the customers? It is true they give the social or even legal access to the populations served but they don’t pay for the services or directly receive the services. Nonprofits in effect do the work that communities and local governments should have done. There is also the question of volunteers, they can be thought of as customers too, they too offer their time and in some cases expertise.

There is no simple answer to the question who is the nonprofit’s customer, many articles and books have discussed it, its one of those chicken and egg problems. The simple fact is that effective nonprofit work, as a business challenge is far more complex than many people realize, and when auditors sit in-front of nonprofit executives and directors they should keep this in mind.