What is risk management software for nonprofits?

Risk management software for nonprofits unifies IRS Form 990 + Schedule O governance disclosures, OMB Uniform Guidance 2 CFR 200, Single Audit preparation, FASB ASC 958 (Not-for-Profit Entities), 40+ state charity registrations, PCI DSS 4.0 for donor card payments, SOX §1107 + §802 obligations on tax-exempt entities, NIST CSF 2.0 + ISO 27001 for donor + program data, and Charity Navigator + GuideStar/Candid Seal mapping on a single survey-based platform. It replaces parallel NPO accounting, donor CRM, grant management, and state charity registry tools with one audit-ready evidence trail.

How does RiskWatch handle Form 990 + Schedule O governance evidence?

Form 990 Schedule O Part VI governance disclosures (conflict-of-interest, whistleblower, document-retention, compensation-review, board-review process) are built into the controls library. Compliance directors run continuous governance scoring, capture board-meeting minutes + COI disclosures + whistleblower complaints + records-retention evidence in one trail, and produce 990 supporting workpapers on demand for the auditor and IRS exam.

Does RiskWatch cover OMB Uniform Guidance 2 CFR 200 + Single Audit prep?

Yes. OMB Uniform Guidance 2 CFR Part 200, including allowability, procurement integrity (200.318–200.327), subrecipient monitoring (200.331–200.332), and Subpart F single-audit requirements, is mapped to the controls library. Federal grantees run continuous OMB UG scoring, capture subrecipient-monitoring evidence in a portal, and produce Single Audit binders with zero or near-zero questioned costs.

How does RiskWatch handle multi-state charity registration coordination?

All 40+ state charity registration cycles are tracked as overlays. Annual filings, registration renewals, fundraising-counsel disclosures, state-by-state audit-threshold tracking, and unified registration submissions through NASCO are coordinated from one console. Compliance directors stop running a parallel spreadsheet per state and run the entire multi-state program from the same evidence vault used for federal compliance.

Does RiskWatch handle donor data + PCI DSS for online giving?

Yes. PCI DSS 4.0 is built into the security pillar with all 12 requirement domains and the new prioritized-approach milestones. Nonprofits accepting card donations through online forms, mobile giving, recurring-gift platforms, or in-person events run continuous PCI DSS scoring and produce SAQ A / SAQ A-EP / SAQ D evidence packages without standing up a parallel program just for payments.

How does RiskWatch handle federal grant compliance across HHS, DOJ, DOE, and DOS?

Each federal awarding agency layers its own grant-agreement terms on top of OMB Uniform Guidance 2 CFR 200. RiskWatch tracks agency-specific overlays, HHS Grants Policy Statement, DOJ OJP Financial Guide, DOE financial assistance regulations, DOS grant-management standards, alongside the underlying OMB UG library. Subrecipient + vendor + 3rd-party tasks cascade to a portal so contractor evidence is captured continuously.

Does SOX §1107 + §802 actually apply to nonprofits?

Yes, and most boards underestimate this. SOX §1107 (whistleblower retaliation as a criminal offense) and §802 (record alteration / destruction during federal investigations) explicitly extend to tax-exempt organizations. RiskWatch tracks whistleblower-policy controls, complaint-intake evidence, document-retention schedules, and federal-investigation hold workflows in the same vault used for IRS Form 990 Schedule O governance disclosures.

How does RiskWatch handle Charity Navigator + GuideStar/Candid Seal mapping?

Charity Navigator's encompass rating dimensions (Accountability + Finance, Impact + Results, Culture + Community, Leadership + Adaptability) and the GuideStar/Candid Seal of Transparency tiers (Bronze through Platinum) are mapped to the controls library. Nonprofits see exactly which evidence each rating dimension requires and which existing 990 + OMB UG + audit work already satisfies it, with no parallel data collection.

Does RiskWatch support volunteer board + audit committee evidence?

Yes. Audit-committee charter, audit-committee meeting cadence, external-auditor independence review, whistleblower complaint review, and board-level risk dashboards are built in. Volunteer board members and audit-committee chairs get curated views, they don't need to learn the platform to consume the evidence the compliance director and CFO are already capturing.

How long does nonprofit implementation typically take?

Most nonprofits go live in 30 days. Pre-built libraries for IRS Form 990 + Schedule O, OMB Uniform Guidance 2 CFR 200, Single Audit, FASB ASC 958, multi-state charity registrations, PCI DSS 4.0, NIST CSF 2.0, and Charity Navigator + Candid Seal, plus white-glove implementation, handle the heavy lift. Multi-state, multi-grant, and subrecipient-heavy deployments add 2–4 weeks for scoping.

For 501(c)(3) Public Charities, Foundations + Federally-Funded Nonprofits

One platform for Form 990 governance, OMB Uniform Guidance, and donor data trust across every grant + state.

Nonprofits sit at a regulatory crossroads few sectors face. IRS Form 990 + Schedule O public on Candid/GuideStar. OMB Uniform Guidance 2 CFR 200 on every federal dollar. Single Audit obligations once federal awards exceed thresholds. FASB ASC 958. State charity registrations in 40+ states. PCI DSS on every online donation. SOX §1107 + §802 whistleblower + records retention. RiskWatch unifies all of it as one survey-based assessment platform sized for compliance directors, grants managers, and audit committee chairs.

Start 30-day free trial Download the 990 + Uniform Guidance pack

Risk

Donor · Grant · Reputational

Compliance

IRS 990 · OMB · State

Audit

Single Audit · A-133 · FASB

One Score

94 / 100

Audit-ready posture

990-ready

990 · OMB · audit-readyLive

Trusted by public-mission organizations + healthcare 501(c)(3)s managing IRS Form 990, OMB Uniform Guidance, Single Audit, multi-state charity registrations, donor PCI DSS, and audit-committee evidence across federal grant streams, foundation funding, and state oversight.

4.8G2 Crowd·108+

4.7Capterra·76+

4.8Gartner Peer Insights·Voice of Customer

Why Compliance Directors + Grants Managers Pick RiskWatch

RiskWatch turns IRS, OMB, FASB, and state charity rules into one program.

RiskWatch runs IRS Form 990 + Schedule O, OMB Uniform Guidance 2 CFR 200, Single Audit prep, FASB ASC 958, multi-state charity registrations, donor PCI DSS, SOX §1107 + §802 obligations, and Charity Navigator + Candid Seal mapping as one program on one platform, scored against the same controls library, and tracked through a single audit-ready evidence trail. Built for nonprofits where one compliance director + grants manager + finance team covers every regulator, every funder, and every audit cycle, without enterprise-bank GRC overhead or six-figure consulting fees that should be going to mission spend.

990 governance + federal grant compliance in one library

Form 990 Schedule O governance disclosures + OMB Uniform Guidance 2 CFR 200 + Single Audit prep + FASB ASC 958 cross-mapped. Conflict-of-interest, whistleblower, document-retention, and audit-committee evidence shared across all four, no parallel binders for the auditor, the IRS, and the federal funder.

Multi-state charity registration coordination built in

40+ state charity registration cycles tracked as overlays. Annual filings, registration renewals, fundraising-counsel disclosures, and state-by-state audit-threshold tracking run from the same evidence vault used for federal compliance, not a parallel spreadsheet per state.

Sized for nonprofit compliance team scale

Compliance director + grants manager + finance director + audit committee chair share one platform. Pre-built libraries cut prep time. White-glove implementation in 30 days, not 6 months. Pricing built for mission-driven budgets, not Fortune-500 GRC.

The Nonprofit Regulatory Landscape

Nonprofit compliance is multi-regulator. The numbers prove it.

IRS Form 990 + Schedule O governance disclosures are public on Candid/GuideStar, every donor, regulator, and watchdog reads them. OMB Uniform Guidance 2 CFR 200 governs every federal dollar awarded to a nonprofit. Single Audit is mandatory above $750K in annual federal awards. State charity registrations are required in 40+ states with their own forms and renewal cycles. PCI DSS 4.0 applies to every online donation form. SOX §1107 + §802 explicitly extend whistleblower + records-retention obligations to tax-exempt entities. Each regulator wants its own evidence package.

40+

US states requiring annual charity registration + filing for fundraising organizations

NASCO multi-state charity registration

$1.6T

US nonprofit sector annual revenue (Independent Sector estimate)

Independent Sector / NCCS sector size

OMB UG

Uniform Guidance 2 CFR 200 governs every federal-grant-receiving nonprofit

eCFR · 2 CFR Part 200

990 + O

IRS Form 990 + Schedule O governance disclosures public on Candid/GuideStar

IRS Form 990 + Schedule O

Three Domains, One Platform

Nonprofit risk lives in three concrete domains

RiskWatch covers all three. Each domain has a dedicated workflow, scoring model, and remediation queue. They share data so a single conflict-of-interest record satisfies Form 990 Schedule O Part VI, OMB Uniform Guidance 2 CFR 200.318 (procurement integrity), board governance policy, and the federal funder's grant-agreement language simultaneously.

Risk

Donor + Grant + Reputational Risk

Survey-based risk assessment across donor data, grant compliance, conflict-of-interest, and reputational risk, aligned to Form 990 governance and Charity Navigator standards.

Conflict-of-interest register live
Grant + donor risk scoring
Reputational + watchdog tracking

Explore Risk Management

Compliance

IRS 990 + OMB Uniform Guidance + State

IRS Form 990 + Schedule O, OMB Uniform Guidance 2 CFR 200, Single Audit prep, FASB ASC 958, and 40+ state charity registrations in one cross-mapped library.

990 + Schedule O governance ready
OMB UG + Single Audit captured
Multi-state charity filings tracked

Explore Compliance Management

Security

PCI DSS + Donor Privacy + Cybersecurity

PCI DSS 4.0 for online donations, NIST CSF 2.0 + ISO 27001:2022 for donor + program data, and SOX §1107 + §802 records-retention controls across every system.

PCI DSS 4.0 donor evidence
NIST CSF + ISO 27001 mapped
Whistleblower + records ready

Explore Cybersecurity

The Coverage Gap

Most nonprofit software covers one regulator

Nonprofit accounting platforms cover the books and 990 prep. CRM and donor platforms cover gifts and online giving. Grant management tools cover federal grant drawdowns. State charity registry tools cover one filing form. Each does one job. Compliance directors still operate four parallel programs, and a spreadsheet for the audit committee.

Platform Category	990 / IRS	OMB UG	Single Audit	PCI DSS	Donor Privacy	Multi-state
NPO Accounting PlatformsSage Intacct NPO, Blackbaud Financial Edge	Partial	Partial	Partial	·	·	·
CRM / Donor PlatformsSalesforce NPC, Bloomerang, DonorPerfect	·	·	·	Partial	Partial	·
Grant Management ToolsFluxx, Submittable, GrantHub	·	Partial	Partial	·	·	·
Internal Audit / ERMWorkiva, AuditBoard	Partial	Partial	Partial	·	·	·
State Charity Registry ToolsHarbor Compliance, Labyrinth	·	·	·	·	·	Yes
Spreadsheets & Email	·	·	·	·	·	·
RiskWatchThe unified audit-ready platform	Yes	Yes	Yes	Yes	Yes	Yes

RiskWatch is the only platform covering all six nonprofit compliance domains: IRS Form 990 + Schedule O governance, OMB Uniform Guidance 2 CFR 200, Single Audit prep, PCI DSS 4.0 for donor data, donor + program privacy, and 40+ state charity registrations. NPO accounting platforms cover the books. Donor CRM platforms cover gifts. Grant management tools cover federal drawdowns. Each does one job. RiskWatch unifies all six in one survey-based assessment workflow.

How It Works

One platform. Continuous compliance across every regulator.

RiskWatch is a survey-based assessment platform. The work is structured around questionnaires that capture governance, grant compliance, financial controls, donor data, and cybersecurity posture in a consistent format, then scored against every framework you align to.

For nonprofits, that workflow runs continuously across IRS Form 990 + Schedule O, OMB Uniform Guidance 2 CFR 200, Single Audit preparation, FASB ASC 958, 40+ state charity registrations, PCI DSS 4.0, SOX §1107 + §802 records, and Charity Navigator + Candid Seal. A single conflict-of-interest record scores against Form 990 Schedule O Part VI, OMB UG 2 CFR 200.318, the audit-committee charter, and the organization's own governance policy simultaneously.

The same platform runs all of it, surfaces gaps before the auditor or federal program officer arrives, assigns remediation owners, and tracks completion. Replace the four parallel tools and the spreadsheet bridge between them.

The Workflow

01
Assess
Survey-based questionnaires capture governance, grant compliance, financial controls, donor data, and cybersecurity posture across every program, grant stream, and state of operation.
02
Score
Responses score against your chosen framework: IRS Form 990, OMB Uniform Guidance 2 CFR 200, Single Audit / A-133, FASB ASC 958, PCI DSS 4.0, NIST CSF 2.0, ISO 27001:2022, Charity Navigator, or custom.
03
Remediate
Gaps become assigned tasks. Owners get deadlines. Subrecipient + vendor + 3rd-party tasks cascade to a portal automatically, including 2 CFR 200 subrecipient-monitoring evidence.
04
Audit
Evidence trails export to PDF, Form 990 supporting workpapers, OMB Uniform Guidance audit binder, Single Audit submission, state charity registration packets, or board audit-committee report. Audit-ready in minutes.

GovernanceGrantsFinanceDonorsSubrecipients

Built For Your Role

Who uses RiskWatch in a nonprofit organization

COO / Director of Operations

Owns day-to-day program execution, vendor management, and operational risk across multi-state programs and federal grant streams.

Operational risk register live. Vendor + subrecipient evidence captured continuously. Multi-state operations tracked from one console.

Director of Compliance + Risk

Owns IRS Form 990 + Schedule O governance, OMB Uniform Guidance, conflict-of-interest, whistleblower, and multi-state charity registrations.

990 + Schedule O governance evidence captured year-round. OMB UG + Single Audit ready. State charity filings tracked from one place.

Grants Manager (federal + foundation)

Owns federal grant drawdowns, OMB Uniform Guidance compliance, subrecipient monitoring, and foundation grant reporting.

OMB UG 2 CFR 200 evidence live. Subrecipient monitoring documented. Federal program officer questions answered from the same vault.

CFO + Finance Director

Owns FASB ASC 958 financial reporting, Single Audit preparation, internal controls over financial reporting, and audit-committee finance reporting.

Single Audit prep continuous. ASC 958 evidence captured. Internal controls scored. Audit-committee finance report built from live data.

Audit Committee Chair (volunteer board role)

Owns audit-committee oversight, external auditor liaison, whistleblower complaint review, and board-level risk reporting under Form 990 governance.

Board + audit-committee dashboards live. Whistleblower complaints tracked + reviewed. External auditor evidence exports on demand.

IT Director / Director of Donor Data

Owns PCI DSS for online donations, NIST CSF 2.0 + ISO 27001 for donor + program data, SOX §802 records retention, and donor-privacy posture.

PCI DSS 4.0 evidence captured. NIST CSF + ISO 27001 mapped. Records retention + whistleblower technical controls in place.

Built For Your Segment

Nonprofit segments we serve

Large Public Charities (501(c)(3) > $50M revenue)

National 501(c)(3) public charities operating across multiple states under IRS Form 990, OMB Uniform Guidance, Single Audit, and 40+ state charity registrations.

Mid-size Operating Charities ($10M–$50M)

Mid-cap operating charities scaling federal + foundation grants, often crossing the Single Audit threshold and registering in 10–25 states.

Foundations + Grantmaking Orgs

Private foundations + community foundations under IRS Form 990-PF, payout requirements, expenditure-responsibility rules, and donor-advised fund oversight.

Federally-Funded Nonprofits (HHS / DOJ / DOE)

Nonprofits drawing federal awards from HHS, DOJ, DOE, DOS, and other agencies under OMB Uniform Guidance 2 CFR 200 + agency-specific terms.

Religious Organizations + Faith-based

Churches, religious orders, and faith-based service organizations balancing 501(c)(3) status, denominational governance, and grant-funded program work.

Hospitals + Healthcare Nonprofits (501(c)(3))

Tax-exempt hospital systems + healthcare nonprofits running Form 990 + Schedule H community-benefit reporting alongside HIPAA + healthcare-specific rules.

Frameworks We Cover

Nonprofit frameworks built into the library

RiskWatch ships with pre-built libraries for every major US nonprofit regulation + accounting standard + watchdog rating system. Map controls once. Score against the framework that matters this audit cycle.

Regulatory Frameworks

IRS Form 990 + Schedule O: Public governance disclosures including conflict-of-interest, whistleblower, document-retention, and compensation review.
OMB Uniform Guidance: 2 CFR Part 200, federal financial assistance, allowability, procurement integrity, and subrecipient monitoring.
SOX §1107 + §802: Whistleblower retaliation + record-retention obligations that explicitly apply to tax-exempt nonprofits.
FASB ASC 958: Not-for-Profit Entities, net asset classification, contribution recognition, and financial-statement presentation.
State Charity Registrations: 40+ US states require annual charity registration + filing for organizations soliciting donations across state lines.
PCI DSS 4.0: Payment Card Industry Data Security Standard, applies to every nonprofit accepting donor card payments online or offline.

Industry + Recommended Practices

Single Audit / Uniform Guidance Audit: Mandatory above $750K annual federal awards (formerly OMB Circular A-133), single audit covers all federal awards.
Charity Navigator + GuideStar/Candid: Charity Navigator ratings + GuideStar/Candid Seal of Transparency are the dominant donor-facing trust signals.
NIST CSF 2.0: Cybersecurity Framework 2.0 (Feb 2024), donor + program data baseline aligned to nonprofit risk profile.
ISO 27001:2022: Information security management standard for nonprofits handling sensitive program data + beneficiary records.
SOC 2 Type II: Trust Services Criteria for nonprofit SaaS service providers + tech-enabled service charities.
BBB Wise Giving Standards: Better Business Bureau Wise Giving Alliance 20-standard accreditation covering governance, finance, results, and solicitations.

Trusted by 1,500+ risk and compliance teams

We had four binders running 990 + Schedule O governance, OMB Uniform Guidance for our HHS and DOJ grants, multi-state charity registrations across 27 states, and donor PCI DSS for online giving, plus a separate spreadsheet for the audit committee. Now it's one platform. Conflict-of-interest, whistleblower, document-retention, subrecipient monitoring, and donor-privacy evidence all run from the same vault. Our last Single Audit produced zero questioned costs and one minor finding instead of seven.

R. Okolie

Director of Compliance + Risk, National 501(c)(3) public charity · 540 employees · 27 program states · 3 federal grant streams

4 → 1compliance binders consolidated to one platform

7 → 1Single Audit findings on most recent audit cycle

30 daysfrom kickoff to first 990 + OMB UG scoring live

Resources

Practical playbooks for compliance + grants teams

Checklist

Frequently asked questions

Public Charities · Foundations · Federally-Funded

See RiskWatch run a 990 + OMB UG + Single Audit cycle live

30-minute walkthrough of the nonprofit library, your grant + state inputs, and the single evidence-trail output. No slideware, no consulting upsell, no Fortune-500 pricing.

Book a 30-minute walkthrough Talk to a nonprofit specialist

Or call US: +1 941-500-4525