ACNC Compliance and IT: A Practical Guide for Australian Not-for-Profits

Operating as a registered charity in Australia comes with genuine accountability obligations. The Australian Charities and Not-for-profits Commission (ACNC) requires registered organisations to maintain accurate records, report annually, and govern themselves to an appropriate standard. What is less discussed — but increasingly important — is the role that your IT environment plays in meeting these obligations and protecting your organisation.

What the ACNC Expects from Registered Charities

Under the ACNC Act, registered charities must keep financial records that correctly explain their financial transactions and position, be able to prepare financial statements from those records, and retain records for a minimum of seven years. They must also report annually via the Annual Information Statement, and larger organisations face additional audit and financial reporting requirements.

None of this is possible without a reliable, well-maintained IT environment. Accounting software, document management, email, and file storage are all foundational — and all need to be managed with appropriate care.

Data Retention and the Seven-Year Rule

The seven-year document retention requirement is not just about filing cabinets. In a modern organisation, financial records, grant agreements, board minutes, correspondence, and contracts exist primarily in digital form. Your IT systems need to ensure these records are stored reliably, backed up, and retrievable.

Cloud-based document management and accounting solutions — such as those within the Microsoft 365 ecosystem or dedicated platforms like Xero — provide version history, access logs, and retention policies that make seven-year compliance manageable. The critical step is configuring these tools correctly from the outset.

Cybersecurity Obligations Under the Privacy Act

Many not-for-profits hold sensitive personal information — about clients, beneficiaries, donors, and staff. Under the Privacy Act 1988 and the Australian Privacy Principles, organisations with annual turnover above $3 million (and some smaller organisations in specific sectors) have obligations to protect this information from unauthorised access or disclosure.

A data breach involving beneficiary information can have serious consequences — reputational, legal, and operational. The Notifiable Data Breaches scheme requires organisations to notify the Office of the Australian Information Commissioner and affected individuals in the event of an eligible data breach.

Implementing basic cybersecurity controls — multi-factor authentication, regular software updates, staff training, and endpoint protection — is not optional for any organisation handling personal information.

Board Governance and IT Risk

ACNC governance standards require charity boards to act with reasonable care and diligence. Increasingly, this includes understanding and managing technology risk. Boards do not need to be technical, but they do need to ask the right questions: Are our records backed up? Are we protected against ransomware? Do we have a plan if a key system fails?

A simple IT risk register, reviewed annually at the board level, demonstrates the kind of responsible governance the ACNC expects — and provides peace of mind for leadership.

Microsoft 365 for Not-for-Profits: The Donation Programme

Microsoft offers deeply discounted and donated Microsoft 365 licences to eligible Australian not-for-profits through its TechSoup partnership. For organisations that qualify, this means access to enterprise-grade email, document management, Teams collaboration, and security tools at minimal or no cost.

The application process requires a current ACNC registration and can take several weeks. However, the tools available through the donation programme represent significant value and are well worth pursuing if your organisation has not already done so.

Working with an IT Provider Who Understands the Sector

Not-for-profits have unique IT needs — constrained budgets, volunteer environments, sector-specific software, and compliance obligations that differ from commercial organisations. An IT provider with experience in the not-for-profit sector will understand these nuances and help you get maximum value from your technology investment.

From configuring ACNC-compliant record-keeping to managing cybersecurity on a restricted budget, the right IT partner is one who sees your mission as clearly as they see your systems.