Who Really Handles Compliance — And Where Your IT Provider Fits In

For many small and mid‑sized businesses and nonprofits, compliance feels confusing. Is it a board issue? A staff issue? An IT issue? Or something your MSP is supposed to “handle”? The short answer is: compliance can’t be outsourced — but it can be supported. Let’s break this down in plain English.

4/21/20261 min read

scrabble tiles spelling out the word complaints

Who Actually Owns Compliance?

✅ The Board of Directors

Legally speaking, compliance sits with the board.

Nonprofit boards are fiduciaries. That means they are responsible for ensuring the organization:

Follows federal, state, and local laws
Protects financial and data assets
Files required disclosures (like Form 990)
Operates according to its mission and bylaws

Even volunteer board members hold this responsibility — and regulators expect boards to exercise oversight, not delegate it away.

Put simply: If something goes wrong, regulators don’t call the IT provider first — they look to the organization’s leadership and board.

Who Handles Compliance Day‑to‑Day?

✅ Executive Leadership and Management

While the board sets direction and oversight, management executes compliance.

This usually includes:

Implementing board‑approved policies
Ensuring staff follow procedures
Managing vendors and service providers
Keeping records, reports, and documentation up to date

The board governs.
Leadership operates.

That distinction matters.

Where Technology Fits In

Here’s the reality: modern compliance depends on technology, even if it isn’t caused by technology.

Areas where IT directly affects compliance:

Email retention and records management
Access control (who can see what, and when)
Protecting donor, client, and financial data
Business continuity and backups
Audit trails and logging

A nonprofit with weak systems is exposed — even if everyone’s intentions are good.

So What Is an MSP’s Role?

Any good Managed Service Provider supports compliance — it doesn’t own it.

What MSPs do:

✔ Secure and maintain systems
✔ Configure platforms like Microsoft 365 correctly
✔ Implement security best practices
✔ Reduce technical risk
✔ Provide documentation and visibility

What MSPs don’t do:

✖ Decide policy
✖ Interpret laws
✖ Accept fiduciary responsibility
✖ Declare an organization “compliant”

The MSP builds the infrastructure.
The nonprofit owns the decisions and accountability.

The Best Compliance Model

Strong nonprofits treat compliance as a team effort:

When everyone stays in their lane, compliance becomes manageable, defensible, and sustainable.

Final Thought

Compliance isn’t an IT product.
But without the right IT foundation, compliance eventually fails.

The goal isn’t to outsource responsibility — it’s to build systems that support it.