Person vacuuming digital threats into trash as team sees computer showing secure and clean system icons.

6 Questions Every Nonprofit Should Ask Their IT Provider Every Quarter

July 13, 2026

6 Questions Every Nonprofit Should Ask Their IT Provider Every Quarter

If you're reading this, there's a good chance technology decisions have become part of your job—even though they were never supposed to be.

You're responsible for protecting client information, maintaining donor trust, supporting staff, answering board questions, and ensuring services continue without interruption.

And somewhere in the middle of all that, you're expected to make smart technology decisions.

That's a heavy burden.

Most nonprofit leaders aren't worried about servers or software.

They're worried about letting people down.

That's why quarterly IT reviews matter.

Not because technology changes every quarter.

Because risk does.

The right conversation today can prevent the crisis that steals your attention six months from now.

Here are six questions every nonprofit should ask their IT provider every quarter—and exactly how to tell whether the answers should make you feel confident or concerned.

The Real Cost of Not Asking

Most nonprofit technology failures don't start with a cybercriminal.

They start with assumptions.

Someone assumes backups are working.

Someone assumes former employees no longer have access.

Someone assumes donor information is protected.

Someone assumes "the IT company handles that."

Then an incident happens.

What looked fine from the outside suddenly becomes a leadership problem.

The nonprofits that avoid these situations usually aren't doing anything extraordinary.

They're asking better questions consistently.

Question 1: What Security Risks Need Our Attention Right Now?

Every nonprofit has security risks.

Every single one.

The question is whether anyone is actively looking for them.

Ask:

  • What are our top three security risks today?
  • Have there been suspicious login attempts?
  • Are any users missing multifactor authentication?
  • Are any devices missing security updates?
  • Are old accounts still active?

What Good Answers Sound Like

Weak Answer:

"Everything looks good."

Strong Answer:

"Five laptops are missing critical updates. Two staff members still need multifactor authentication enabled. Three inactive accounts have access to shared files and are scheduled for removal this week."

One answer creates confidence.

The other creates assumptions.

What We Commonly Find

When nonprofit environments are reviewed, some issues appear repeatedly:

  • Inactive user accounts still have access
  • Multifactor authentication isn't enabled everywhere
  • Shared permissions have never been reviewed
  • Critical software updates are delayed
  • Leadership has no visibility into technology risk

None of these issues seem urgent until they're exploited.

Question 2: Have We Tested Our Backups Recently?

This may be the most important question in the entire article.

Because when something goes wrong, differences in security maturity become obvious very quickly.

Ask:

  • When was our last recovery test?
  • What systems were included?
  • How long did restoration take?
  • Are Microsoft 365 files included?
  • Are donor systems included?
  • Are recovery procedures documented?

What Good Answers Sound Like

Weak Answer:

"Backups run every night."

Strong Answer:

"We completed a recovery test last quarter. Shared files, Microsoft 365 data, and donor information were restored successfully. Recovery took 43 minutes, and the process is documented."

One answer describes a backup.

The other describes readiness.

How One Nonprofit Discovered Backup Gaps Before It Was Too Late

A nonprofit leadership team believed their backup strategy was in excellent shape.

Their IT provider had repeatedly confirmed backups were running successfully.

During a quarterly review, leadership asked a simple question:

"When was the last recovery test?"

No one knew.

A test was performed.

What they discovered surprised everyone.

Microsoft 365 data wasn't fully protected.

Recovery procedures weren't documented.

Key personnel didn't know their roles during an outage.

Fortunately, they found the problem during a review instead of an emergency.

Within weeks they:

  • Expanded backup coverage
  • Documented recovery procedures
  • Assigned response responsibilities
  • Added quarterly recovery testing

Nothing dramatic happened afterward.

And that's the point.

Prepared organizations often have uneventful stories.

Question 3: Where Is Technology Slowing Down Our Staff?

Technology problems rarely appear as emergencies.

They appear as friction.

An employee wastes time searching for files.

A donation export requires manual cleanup every week.

Staff maintain backup spreadsheets because systems don't communicate with each other.

No individual problem seems worth reporting.

Collectively, they drain productivity.

Ask:

  • What generates the most support requests?
  • What repetitive tasks are staff doing manually?
  • Where are employees creating workarounds?
  • What systems cause the most frustration?
  • What should we automate or integrate?

Where It Usually Breaks

This often starts with spreadsheets.

A system lacks reporting functionality.

Someone exports data.

Then another person creates their own version.

Soon multiple versions exist.

Nobody knows which one is correct.

The problem isn't the spreadsheet.

The problem is that technology stopped supporting the process.

Question 4: Are We Still Compliant and Properly Documented?

Compliance isn't something you achieve.

It's something you maintain.

Policies become outdated.

Staff roles change.

New software gets introduced.

Documentation stops matching reality.

Ask:

  • Have compliance requirements changed?
  • Are our policies current?
  • Have permissions been reviewed?
  • Is training documented?
  • Are donation platforms being reviewed?
  • Can we produce evidence if we're audited?

The External Evaluator Test

Imagine your organization is being evaluated tomorrow by:

  • Your board
  • A cyber insurance carrier
  • A grant funder
  • An auditor
  • A major donor

Would they see documented processes?

Or good intentions?

That's an important distinction.

Organizations are judged by evidence.

Not effort.

For HIPAA-Oriented Nonprofits

If you serve clients through counseling, healthcare, recovery services, or related programs, ask:

  • Has our risk assessment been reviewed recently?
  • Are policies current?
  • Is workforce training documented?
  • Are access controls functioning correctly?

For Donation Processing

Ask:

  • Who has administrative access to donation systems?
  • Are permissions reviewed regularly?
  • Are payment systems monitored appropriately?
  • Is donor information protected according to documented policies?

The goal isn't perfect compliance.

The goal is defensible compliance.

Question 5: What Should We Budget For Next Quarter?

The best technology investments are planned.

The worst technology investments are urgent.

Ask your provider to review:

  • Aging hardware
  • Licensing changes
  • Software renewals
  • Warranty expirations
  • Security improvements
  • Backup investments
  • Website risks
  • Infrastructure upgrades

A quality quarterly review should reduce surprises.

Not introduce them.

Question 6: Where Are We Falling Behind?

This question separates strategic providers from reactive providers.

Ask:

  • What are organizations like ours doing differently?
  • What risks are increasing?
  • Which improvements create the greatest impact?
  • Where are we over-relying on manual processes?
  • What should we address first?

Strong providers prioritize.

Weak providers overwhelm.

One Question Most Nonprofits Forget to Ask

Ask this every quarter:

"If we experienced a cybersecurity incident tomorrow, who would do what during the first 24 hours?"

Most organizations discover they don't actually know.

Who contacts leadership?

Who communicates with staff?

Who works with vendors?

Who coordinates recovery?

Who speaks with donors if necessary?

The first day of an incident is rarely the time to figure this out.

Nonprofit Technology Maturity Scale

Level 1: Reactive

  • Problems are fixed after they occur
  • Limited documentation
  • Minimal planning

Level 2: Documented

  • Basic policies exist
  • Backups are configured
  • Security controls are established

Level 3: Managed

  • Reviews happen quarterly
  • Risks are tracked
  • Recovery testing occurs regularly
  • Leadership receives reporting

Level 4: Strategic

  • Technology supports board objectives
  • Budget planning is proactive
  • Security decisions align with organizational goals
  • Leadership has visibility into risk trends

Most nonprofits don't need perfection.

Most nonprofits simply need to move from Reactive to Managed.

Nonprofit Technology Risk Scorecard

Area

Green

Yellow

Red

MFA

Enabled for all users

Partial deployment

Limited deployment

Backups

Tested quarterly

Tested annually

Never tested

Staff Training

Annual program

Occasional training

None

Device Lifecycle

Under 5 years

Mixed ages

End-of-life devices

Donation Security

Reviewed regularly

Inconsistent review

No review process

Board Reporting

Quarterly reviews

Annual updates

No reporting

If you're yellow or red in multiple categories, that's where to focus first.

Quarterly IT Review Worksheet

Bring this worksheet to your next meeting.

Top Three Risks




Budget Planning

Upcoming investments:


Upcoming renewals:


Compliance Review

Policy updates needed:


Training requirements:


Next Quarter Priorities




Board Reporting Template

Require a one-page summary containing:

  • Top Three Risks
  • Mitigations Completed
  • Budget Requests
  • Open Compliance Concerns
  • Major Technology Projects
  • Next Quarter Priorities

This turns IT from a support conversation into a governance conversation.

Your Next-Week Action

Put a 30-minute quarterly IT review on the calendar next week.

Send these six questions in advance.

Require written answers, documented evidence, and a prioritized action plan.

You will learn more from that single meeting than from six months of assumptions.

Schedule Your 10 Minute Discovery Call

Schedule your 10 minute discovery call and use it as a sanity check on your current risk posture. In 10 minutes, 911 IT can help identify whether your biggest technology risks are already being managed—or simply being assumed away.