When Jill Farrow, now NTEN’s chief financial and operating officer, first toured the organization’s Portland, OR, offices, she noticed something conspicuous in its absence. Puzzled, she turned to then executive director Holly Ross, who was giving her the tour and asked, “Where are the servers?”
Farrow, who now laughs retelling the story, quickly learned that “operationally, we at NTEN do everything in the Cloud,” and that includes financial and operations management.
NTEN uses QuickBooks Online as its general ledger accounting and reporting system. Memberships, event registrations and sponsorship transactions — the basis of the creation of NTEN earned revenue and accounts receivables — is recorded in netFORUM, the cloud-based CRM from Avectra. NTEN works with Paychex to process payroll. PayPal is used, too.
None of the systems are currently integrated. That requires “an assist,” — a human one, Farrow said.
As chief operating and financial officer, Farrow views a Cloud-based financial and operations management environment as presenting both risk and opportunity. “As a financial person, that’s the framework I use; that’s the lens through which an experienced CFO will look,” she said.
On the opportunity side, the Cloud enables NTEN’s distributed staff to have access to the information they need to work effectively. “The benefit is that our membership director, who works remotely from New York, can look at the reports for a particular grant or membership partnership of interest at any given moment. It doesn’t matter that it’s before business hours in Portland,” Farrow said.
On the flip side, she added, “Nonprofit accounting is a slightly different beast, and QuickBooks Online is not as robust in its functionality for a nonprofit that uses a chart of accounts and a reporting system that uses both a class ID and a donor ID.” QuickBooks Desktop has functionality that QuickBooks Online does not, including balance sheet by class, forecasting and a statement writer “that would make my board of directors reporting so much easier to prepare.”
When it comes to selecting tools and systems for financial management, Farrow believes it’s important to observe carefully before making decisions about particular systems or vendors. “You have to watch and see how things work at your organization — what systems are in place, how they’re used, what are the strengths and weaknesses in that use, and how they integrate. And by systems I don’t only mean hardware and software, I mean human as well.”
Several other Cloud-based systems support NTEN’s many programming initiatives, and Farrow is involved with each one from the perspective of contract review and risk management. “Contractual review and oversight is a necessary component of financial management — material financial or legal risk can result in financial pain for an organization. But many nonprofits don’t have in-house expertise, and they don’t know what questions to ask,” she said. Whether the product under consideration is intended for use by staff in a nonprofit’s IT, program, membership, human resources or communications department, “there are common concerns.”
Protection of nonpublic personal, confidential and proprietary information and data security are key areas of concern to Farrow, and vendors should have appropriate controls in place for its server environment and data management practices. But how can an organization judge whether that’s the case? In a recent negotiation with a vendor for a Cloud-based service, Farrow asked for the company’s SSAE 16 (Statement on Standards for Attestation Engagement) internal controls audit report.
“If I place my confidence in a vendor to perform a service, and I need that service to perform my obligations to my customers — my members — and for whatever reason, the party I bought the service from goes down, I can’t fulfill all of my commitments. You have to understand the wherewithal of the party you’re contracting with to fulfill its commitments,” Farrow said. “Knowing to ask for the SSAE, and knowing to offer it if you’re on the other side of the (sales) table, is important to build confidence.”
In the process of obtaining the SSAE 16 for this particular vendor, Farrow discovered that the company was itself using Cloud-based services to provide its service; the vendor pitching NTEN was relying on the SSAE 16 of their Cloud-based data center provider. Organizations must be sure to understand the supply chain and relationships among providers, and designate one primary service provider that is responsible to fulfill the terms of your agreement. Include contract terms that the vendor you are contracting with is responsible for all of the services outlined in your contract, regardless of who actually conducts the services. “Someone has to take responsibility for the engines….Understand with whom you’re actually doing business,” Farrow said.
Ownership of an organization’s data — and the reports generated from that data — is another critical area, and should remain with the nonprofit organization.
As with all types of agreements and service providers, “You want to be transparent up front; you want to be very clear and not allow a lack of clarity about each party’s obligations to the other to create the potential for subsequent disappointment, lack of performance and, if things really go south, for legal concerns to be raised,” she added.
The Cloud may make both risks and opportunities more immediate. Fraudulent transactions take place instantaneously. A nonprofit organization, regardless of size, can be exposed to reputation risk through its public persona on social media platforms — hence the growing use of related human resource policies. In the opportunity column, though, the Cloud offers, among other things, unprecedented and instantaneous resource availability, Farrow said.
The bottom line, she explained, is that individuals in charge of financial management for nonprofits must establish and maintain appropriate internal controls. That applies whether the specific tools reside with a third party in the Cloud or in the real world, or in an organization’s own onsite server room. “You need to have appropriate management oversight and appropriate preventive and detective controls. You need both; this has always been true, and always will be,” she said. “It’s not just a Cloud thing.”