Nonprofit compliance is the ongoing work of meeting the obligations attached to an organisation's tax-exempt status and funding, and proving it to the IRS, state regulators and funders. In practice it is less about knowing the rules than evidencing them: the failures rarely sit in the rules, but in the evidence it can produce when a regulator asks.
Contents
Nonprofit compliance is the ongoing work of meeting the obligations attached to an organisation's tax-exempt status and funding, and proving it to the IRS, state regulators and funders. In practice it is less about knowing the rules than evidencing them: the failures rarely sit in the rules, but in the evidence it can produce when a regulator ask
That is the shift compliance for nonprofit organizations has undergone. It is no longer a policy-document exercise, settled once and shelved. It lives in the day-to-day mechanics of how an organisation manages vendors, contracts and third-party delivery, and changes the moment a supplier or subrecipient does.
The distance between an organisation's documented obligations and how it operates day to day is where enforcement risk now concentrates. A Single Audit, required once federal spending crosses the threshold set in 2 CFR 200.501, tests whether the paper trail matches the practice. Keeping that trail current is the work that third-party compliance monitoring is built to support.
Nonprofit compliance breaks into a handful of distinct domains. Most organisations meet some well and quietly neglect others, usually the third-party side. The Government Accountability Office, in a March 2025 report analysing 3,680 single audit findings from 2022 to 2024, found 36 percent involved incomplete subaward reporting, and in nearly half of cases recipients lacked the internal controls for basic subaward oversight. That tells you where the gaps tend to open.
The domains of nonprofit regulatory compliance are:
These domains stack rather than substitute. An organisation can be flawless on its 990 and still fail an audit on subrecipient monitoring it never assigned to anyone.
Federal tax compliance for nonprofits centres on the annual IRS Form 990. Every 501(c)(3) must file some version each year. The smallest organisations file the Form 990-N, mid-size organisations the 990-EZ, and larger ones the full Form 990. Missing the filing for three consecutive years triggers automatic revocation of tax-exempt status.
The IRS and the states both use Form 990 to police tax-exempt status, which is why nonprofit tax compliance is more than a return. The form asks directly about governance, related-party transactions and policies, and the answers are public. Late filing carries escalating daily penalties, and the three-year revocation rule is automatic, with no enforcement discretion.
One in-force change deserves attention. The 2024 Uniform Guidance revision shifted mandatory disclosure, so recipients must now report fraud, conflicts of interest or False Claims Act violations on credible evidence, not only on confirmed violations. This took effect in October 2024 and lowers the bar for when a disclosure obligation is triggered. Keeping the underlying records straight is the same discipline covered in managing contract obligations and compliance.
A federal Single Audit is now required only when a nonprofit spends one million dollars or more in federal funds in a fiscal year, up from the previous seven hundred and fifty thousand dollar line. The change took effect for fiscal years beginning on or after 1 October 2024, attributed to OMB Uniform Guidance at 2 CFR Part 200. The relief is partial, because the documentation and internal control obligations behind the audit rose at the same time.
The bar moved, it did not fall. Awards issued before October 2024 can still carry the old threshold, so an organisation holding a mix of older and newer awards has to track them by issue date. Many funders also require an independent audit regardless of the federal figure.
It helps to separate the two things people call an audit. An independent financial statement audit examines whether your financial statements are fairly presented. A Single Audit goes further and tests compliance with the specific rules attached to each federal program. For the detail, see what a nonprofit audit involves, and for the practical readiness steps, how to prepare for a nonprofit audit.
Nonprofits receiving federal grants are governed by the Uniform Guidance framework at 2 CFR Part 200, which sets how funds may be used, which costs are allowable, and how vendors and subrecipients must be managed. The single audit tests compliance with these rules. Subaward problems are a persistent theme. The Government Accountability Office found that 36 percent of 3,680 findings reviewed for 2022 to 2024 involved incomplete subaward reporting, with weak subrecipient oversight a recurring issue alongside it.
A subrecipient is an organisation you pass federal funds to so it can carry out part of a program. The duty to monitor that subrecipient sits with the primary recipient, not with the funder. The 2025 OMB Compliance Supplement expanded those monitoring expectations, requiring more granular documentation at every tier of funding.
That is continuous third-party due diligence by another name. It means checking who you fund, collecting evidence that funds are used correctly, and keeping that current rather than reviewing it once a year. On the vendor and contract side of this work, Gatekeeper's AI agents do the collecting, chasing and monitoring, while your team keeps the grant and compliance decisions. For the wider picture, our grant compliance guide covers the program-side detail our agents do not touch.
Governance compliance requires a nonprofit board to exercise its fiduciary duties: oversight of finances, vendors and risk, plus documented policies such as a conflict of interest policy. The IRS Form 990 asks directly whether an organisation has one. Governance failures, rather than the law itself, sit behind many of the sector's most damaging enforcement cases.
A conflict of interest policy requires board members and key staff to disclose related-party interests and recuse themselves from affected decisions. Maintaining one is straightforward in principle and routinely neglected in practice, which is why it is a standing item in a nonprofit's wider risk management programme.
The Oxfam GB case shows the scale governance failures can reach. The UK Charity Commission's statutory inquiry reviewed over 7,000 items of evidence, found some failings amounted to mismanagement, and issued an official warning under the Charities Act 2011. At the time, up to £29 million of European funding and £31.7 million of UK government funding were reported at risk. The detail of building and recording a conflict of interest policy sits in our dedicated guide.
Third-party oversight has become central to nonprofit compliance because most of an organisation's data and delivery risk now sits with its vendors and subrecipients. The 2024 Uniform Guidance revision requires recipients to build cybersecurity safeguards, such as data encryption and multi-factor authentication, into their internal controls. That pulls vendor security posture directly into compliance scope.
The Blackbaud breach is the defining example. The 2020 ransomware attack on a fundraising and data vendor exposed data held on behalf of more than 13,000 nonprofit, healthcare and educational clients. In October 2023, 49 state attorneys general settled with Blackbaud for $49.5 million. The nonprofits paid none of the penalty, but their contracts had not required adequate data security, so there was no ongoing oversight to catch the gap.
This is the gap Gatekeeper is built to close, on the vendor and contract side. The Blackbaud failure had two parts: a contract that never required adequate security, and no ongoing check that the vendor still met it. Risk findings at intake shape the terms a vendor has to agree to, and Gatekeeper's AI agents then track the certificates and attestations behind those terms, flagging the moment a vendor's posture slips. The team keeps the risk decisions, and the agents keep the record current.
The scope matters. Gatekeeper evidences the vendor and contract side of compliance, not your financial statements and not the program rules themselves. The record sits in one platform on a single data model: contract management for the agreements and obligations, and vendor management for the parties and their status.
Trusted by nonprofits including the YMCA of Greater Seattle and Rockefeller Philanthropy Advisors.
Gatekeeper fits one of the seven domains cleanly, the third-party and vendor side, and shares two more. It does not touch your filings, the audit itself, or the program rules. The honest split is below.
| Domain | Who does it | What Gatekeeper does |
|---|---|---|
|
Federal tax and IRS filings (Form 990) |
Your responsibility | Gatekeeper does not prepare or file returns. The filing and its governance answers stay with you. |
|
State charity registration and fundraising |
Your responsibility | Registration and renewal sit outside the platform. |
| Financial and single-audit obligations | Your responsibility |
Gatekeeper supplies the vendor, contract and subrecipient evidence the audit's third-party questions draw on. The audit itself is run by your independent auditor. |
|
Federal grant rules and subrecipient monitoring
|
Shared | Gatekeeper's AI agents collect, chase and track documents and attestations from the parties you fund, and flag changes. Allowable-cost and program judgement stays with you. |
|
Governance and conflict of interest
|
Shared | Vendor and related-party approvals and disclosures are recorded on an audit trail. Board fiduciary duties and the policy itself stay with the board. |
|
Data protection and vendor security
|
Shared | Vendor security posture, certificates and contractual security provisions are tracked and enforced. Protecting your own systems stays with you. |
|
Third-party and vendor oversight
|
Gatekeeper does this | One repository for every vendor and contract on a single data model, with screening, tiering, document collection, certificate and attestation tracking, and change alerts. |
A nonprofit compliance checklist should cover seven recurring obligations. It turns scattered duties into a routine that can be evidenced on demand, which is the whole point. The hardest items to produce when a regulator asks are almost always the third-party ones.
The core nonprofit compliance requirements to track are:
The first six are familiar. The seventh, the vendor and contract side, is the one a system of record keeps current on its own. For the foundations, read what is contract compliance, or take the free contract management ebook for the longer treatment.
Several nonprofit compliance rules are settled and in force in 2026: the one million dollar Single Audit threshold, the 2024 Uniform Guidance cybersecurity internal-control requirement, and the expanded subrecipient monitoring expectations. One major change is still only proposed. OMB published a proposed overhaul of the Uniform Guidance on 29 May 2026, open for comment until 13 July, with a final rule expected around 1 October 2026.
Keeping the two apart matters, because planning around a proposal that may change wastes effort. All dates and items below are attributed to OMB.
| Status | What it covers |
|---|---|
| In force now |
The one million dollar Single Audit threshold; the cybersecurity internal-control requirement; expanded subrecipient monitoring. |
| Proposed, not yet law |
OMB proposed Uniform Guidance overhaul, published 29 May 2026, comment until 13 July, final expected around 1 October 2026. Would expand award-termination powers, add political review before awards are issued, and attach new conditions to funding. |
The proposed rule would expand agencies' power to terminate awards, add political review before awards are issued, and attach new conditions to funding. These are grant-condition and eligibility matters for leadership and counsel, not vendor or contract matters. A vendor and contract system of record does not address them, so treat anything claiming otherwise with caution and plan around what is in force until the rule is final.
The core requirements are annual IRS Form 990 filing, state charity registration wherever you solicit, financial and single-audit obligations once federal spending crosses the threshold, governance policies including a conflict of interest policy, data protection, and third-party or vendor oversight. These obligations stack at federal, state and funder levels at the same time rather than replacing one another.
Nonprofit tax compliance is meeting the IRS obligations attached to tax-exempt status, principally the annual Form 990 in its correct version. The form is how the IRS and states police that status. Failing to file for three consecutive years triggers automatic revocation of 501(c)(3) status under IRS rules, with no enforcement discretion involved.
No. A federal Single Audit is required only when a nonprofit spends one million dollars or more in federal funds in a fiscal year, under the threshold effective for fiscal years beginning on or after 1 October 2024. Below that, no federal Single Audit applies, though individual funders may still require an independent audit as a condition of their award.
Consequences range from financial penalties and late-filing fees to loss of tax-exempt status, loss of funding, and enforcement action by the IRS, state attorneys general, or the HHS Office for Civil Rights. Reputational damage often outlasts the fine. Because state regulators share information, a violation in one state can prompt scrutiny in others.
A nonprofit compliance checklist is a recurring list of the obligations an organisation must meet to keep its status and funding: Form 990 filing, state registrations, audit requirements, grant and subrecipient obligations, governance policies, data protection, and vendor and contract records. It turns scattered obligations into a routine that can be evidenced on demand rather than reconstructed under pressure.
Gatekeeper is the vendor, contract and third-party evidence layer. Its AI agents screen parties, collect and chase documents, track certificates and attestations, and flag changes, so the vendor and contract side of compliance stays current and provable. It does not run audits, manage grants, or make compliance decisions. People keep the judgement calls.
Ready to improve your contract & vendor management?
.png)
.png)
.png)
-4.png)
Before Gatekeeper, our contracts
Anastasiia Sergeeva, Legal Operations Manager, BlaBlaCar
were everywhere and nowhere.
Gatekeeper is that friendly tap on the shoulder,
Donna Roccoforte, Paralegal, Hakkasan Group
to remind me what needs our attention.
Great System. Vetted over 25 other systems
Randall S. Wood, Associate Corporate Counsel, Cricut
and Gatekeeper rose to the top.
