CRM Software for ACNC Compliance and Governance

Understanding ACNC Governance Standards

The Australian Charities and Not-for-profits Commission (ACNC) sets governance standards that all registered charities must meet to maintain their registration. These standards aren't just bureaucratic requirements—they're designed to ensure charities operate responsibly and maintain public trust.

While ACNC governance standards don't explicitly mandate specific technology systems, meeting these standards becomes significantly easier—and more demonstrable—with appropriate CRM infrastructure.

Governance Standard 5: Where CRM Matters Most

Governance Standard 5 requires responsible persons (board members, directors, trustees) to:

• Act with reasonable care and diligence
• Act honestly and fairly in the charity's best interests
• Not misuse their position or information
• Disclose conflicts of interest
• Ensure the charity's finances are managed responsibly

The "reasonable care and diligence" requirement extends to overseeing how the organisation manages client data, protects sensitive information, and maintains accountability for data access. This is where CRM capabilities directly support governance compliance.

How CRM Supports ACNC Governance

Comprehensive Audit Trails

Every data access and modification is logged automatically in Microsoft Dynamics 365. This includes:

• Who accessed or modified a record (user identification)
• When the access or modification occurred (timestamp)
• What was accessed or changed (record and field level)
• From where the access originated (IP address, device)

This audit capability directly supports Governance Standard 5's requirement for responsible oversight. Boards can verify that data access follows appropriate policies, and any anomalies can be investigated. Learn more about compliance features.

Access Controls and Security

Demonstrating "reasonable care" requires showing that sensitive data is protected by appropriate controls:

• Role-Based Access: Staff only see data relevant to their role
• Record-Level Security: Case workers access only their assigned clients
• Field-Level Security: Sensitive fields (financial, medical) visible only to authorised staff
• Security Groups: Permissions managed by team, region, or function

The Security page details the six-layer security model that provides this protection.

Board Reporting Dashboards

Governance Standard 5 requires boards to exercise oversight—but oversight requires information. CRM dashboards provide:

• Service Delivery Metrics: Clients served, sessions delivered, outcomes achieved
• Risk Status: Current risks, mitigation progress, overdue reviews
• Compliance Indicators: Data quality, access patterns, policy adherence
• Funding Status: Grant utilisation, reporting deadlines, acquittal status

These dashboards update automatically from operational data, ensuring boards see current information without manual report compilation.

Risk Register

Demonstrating due diligence includes documenting known risks and mitigation strategies. The Compliance & Reporting module includes a risk register for:

• Recording identified risks with likelihood/impact assessment
• Assigning ownership and accountability
• Tracking mitigation actions and progress
• Scheduling reviews to ensure ongoing attention
• Linking risks to specific cases, programs, or compliance issues

ACNC Annual Information Statement

Registered charities must submit an Annual Information Statement (AIS) to ACNC, reporting on:

• Beneficiaries and people assisted
• Programs and activities delivered
• Staff and volunteer numbers
• Financial information

A CRM system that tracks clients, programs, and service delivery provides the operational data needed for accurate AIS completion—without the manual compilation from multiple spreadsheets that many organisations endure each year.

Privacy Act Alignment

Governance Standard 3 requires compliance with Australian laws, including the Privacy Act 1988 and Australian Privacy Principles (APPs). CRM supports privacy compliance through:

Consent Management

Track explicit consent for data collection, use, and sharing at the individual level. Record when consent was given, for what purposes, and any subsequent changes or withdrawals.

Data Minimisation

Structured data fields encourage collecting only necessary information, rather than the sprawling free-text that accumulates in unstructured systems.

Access and Correction Rights

APPs give individuals rights to access their data and request corrections. CRM makes responding to these requests straightforward—find the record, export or correct the relevant information, document the request and response.

Data Retention and Disposal

Configure retention policies aligned with legal requirements. Automated archival and disposal workflows reduce compliance risk while maintaining necessary records.

Australian Data Residency

All data in Microsoft Dynamics 365 for Australian NFPs resides in Australian datacentres (Sydney and Melbourne), satisfying data sovereignty requirements and reducing cross-border data transfer concerns.

State Charitable Fundraising Requirements

Beyond ACNC registration, charities conducting fundraising must comply with state-based regulations. Requirements vary by state but commonly include:

• Victoria: Consumer Affairs Victoria registration, annual returns
• NSW: NSW Fair Trading registration, financial reporting
• Queensland: Office of Fair Trading requirements
• Other states: Varying registration and reporting obligations

CRM helps by maintaining donor records, donation history, receipt generation, and the reporting data required for state compliance. Organisations operating nationally can generate state-specific reports from consistent underlying data.

Demonstrating Compliance to ACNC

ACNC may review a charity's compliance with governance standards. When this happens, organisations need to demonstrate:

1. Policies exist for data governance, access control, and privacy
2. Policies are implemented through appropriate systems and controls
3. Evidence exists of ongoing compliance (audit trails, access logs)
4. Board oversight is documented (minutes, reports, risk reviews)

A properly configured CRM provides the evidence trail for points 2, 3, and supports point 4 through automated reporting. Without such systems, organisations struggle to demonstrate compliance beyond simply asserting that policies exist.

Implementing Governance-Ready CRM

Configuring CRM for ACNC governance compliance involves:

1. Security Model Design: Define roles, teams, and access levels aligned with organisational structure
2. Audit Configuration: Enable comprehensive logging for sensitive entities and fields
3. Dashboard Development: Create board-appropriate reporting views
4. Risk Register Setup: Configure risk categories, assessment criteria, and review schedules
5. Consent Tracking: Implement consent fields and workflow triggers
6. Policy Documentation: Align system configuration with documented governance policies

Learn about our implementation process for governance-focused CRM configuration.