Pro Bono Cybersecurity, Privacy & Governance Readiness Audits

Non-Certifying Readiness Assessments Aligned with Recognized Security, Privacy, and Governance Frameworks for Under-Resourced Nonprofit Organizations

Independent IT Audit Professionals image

Nonprofit organizations increasingly manage sensitive donor, beneficiary, and operational data while facing rising cybersecurity, privacy, and technology governance risks. Many lack the financial capacity to engage formal audits or certification programs.

To address this gap, we offer a limited number of pro bono cybersecurity, privacy, and governance readiness audits each year for qualified nonprofit organizations that cannot reasonably afford commercial assessment services.

Purpose of the Program

Cybersecurity and privacy risks are systemic. When under-resourced organizations remain unassessed, vulnerabilities can propagate across partner networks, funding ecosystems, and shared technology platforms.

Our practice was formed, in part, to address this reality.

This program exists to:

  • Reduce systemic cybersecurity and privacy risk

  • Support responsible governance and oversight

  • Improve audit, certification, and regulatory preparedness

  • Strengthen trust across nonprofit, donor, and partner ecosystems

Participation in this program does not create any obligation to purchase future services.

Nature of the Engagement

This engagement is a non-certifying, non-attesting readiness and gap assessment, performed by qualified audit professionals, to support board oversight and preparation for future audits or certifications.

It is designed to support:

  • Board and executive oversight

  • Internal risk management

  • Preparation for future third-party audits or certifications

No assurance, certification, or regulatory compliance opinion is provided.

Deliverables

Each engagement typically includes:

  • Executive and board-level risk summary

  • Framework-aligned readiness and gap analysis

  • Identification of material cybersecurity, privacy, and governance risks

  • Prioritized remediation and improvement roadmap

  • Guidance to support future audits, certifications, insurance, or grant requirements

All deliverables are advisory and non-attesting.

Explicit Exclusions

To maintain independence and regulatory clarity, this program does not include:

  • Certification, validation, or compliance attestation

  • SOC examination reports or CPA services

  • ISO certification audits

  • GDPR legal compliance determinations

  • Penetration testing or vulnerability exploitation

  • Remediation, implementation, or system configuration

  • Ongoing monitoring or managed security services

Eligibility & Selection

Pro bono readiness audits are reserved for nonprofit organizations that:

  • Maintain active U.S. 501(c)(3) status

  • Demonstrate financial inability to engage commercial audit services

  • Handle donor, beneficiary, or sensitive operational data

  • Serve underserved or high-risk communities

Capacity is limited. Not all applicants can be accommodated.

Frameworks & Standards Alignment

Assessments are aligned, at a readiness level, with recognized frameworks commonly referenced by certifying bodies, auditors, and regulators:

  • NIST Cybersecurity Framework (CSF)

  • ISO /IEC 27001 — Information Security Management (control objectives only)

  • ISO /IEC 42001 — Artificial Intelligence Management Systems (governance & risk readiness)

  • SOC 2 Trust Services Criteria (readiness only)

  • GDPR — Privacy and data protection readiness

Alignment indicates preparation and awareness, not conformance or certification.

selahnex audits clients

This assessment helps organizations:

  • Demonstrate good-faith governance and risk oversight

  • Establish a defensible baseline before formal audits

  • Identify material gaps early, before regulatory or donor scrutiny

  • Prepare responsibly for future certification or attestation

Scope of Review

The assessment focuses on governance, risk awareness, and organizational maturity, not technical exploitation or compliance testing.

Review areas may include:

  • Cybersecurity, privacy, and AI governance structures

  • Risk management and oversight processes

  • Identification and handling of sensitive data

  • Identity and access management practices

  • Incident response and recovery preparedness

  • Use of cloud services, AI-enabled systems, and third-party vendors

  • Security and privacy awareness and training

Methods include interviews, documentation review, and high-level observation.

Request Consideration

Organizations seeking consideration for a pro bono cybersecurity, privacy, and governance readiness audit may submit a brief application outlining mission, size, funding profile, and technology environment.

 

Apply now for a short eligibility review — selected organizations will be contacted within 10 business days

Apply

Important Note

Pro bono services are limited in scope and availability and are provided solely as readiness and advisory assessments. No certification, assurance, or compliance opinion is expressed or implied.

FAQs

What is the purpose of the pro bono program?

The pro bono program provides independent cybersecurity, privacy, and compliance readiness assessments to under-resourced nonprofit organizations that would not otherwise be able to afford professional audit or assessment services. The objective is to improve governance, risk awareness, and audit preparedness where resource constraints increase systemic risk.

Services are delivered as a non-certifying, non-attesting readiness assessment, performed in an audit and advisory capacity. The engagement is designed to help organizations understand their current risk and control posture and prepare for future third-party audits or certifications.

Yes, limited control testing may be included where appropriate. Control testing is:

  • sample-based and point-in-time

  • limited to inquiry, inspection, walkthroughs, and observation

  • performed solely to support readiness and gap identification

No assurance, opinion, or conclusion regarding control effectiveness or compliance is expressed.

No. This engagement does not constitute a certification audit, compliance audit, attestation, or assurance engagement. Certification audits are performed only under engagement with accredited certification bodies.

Readiness assessments may be aligned, at a high level, with recognized frameworks and regulations, including:

  • SOC Trust Services Criteria (readiness only)

  • SOX IT general controls (readiness only)

  • ISO/IEC 27001 and ISO/IEC 42001 control objectives

  • HIPAA Security Rule safeguards

  • GDPR data protection principles

Alignment reflects preparation and awareness, not compliance or certification.

Assessments are conducted by qualified audit professionals, including auditors certified in ISO/IEC 27001, ISO/IEC 42001, and holding CISA credentials. Auditor certifications reflect professional competence and training and do not imply that certification or attestation services are being provided.

Eligibility is limited to nonprofit organizations that:

  • maintain active U.S. 501(c)(3) status

  • demonstrate financial inability to engage commercial audit or assessment services

  • handle sensitive donor, beneficiary, or operational data

  • align with the purpose of the program

Capacity is limited, and not all applicants will be selected.

Eligibility is assessed through a short application process considering organizational size, funding profile, data sensitivity, and overall risk exposure. Selection decisions are made at our discretion based on available capacity.

No. Participation in the pro bono program does not obligate an organization to engage paid services now or in the future.

Yes. Deliverables are designed to be board-ready and may be shared with leadership, boards of directors, funders, insurers, or future auditors as readiness documentation.

No. The assessment does not require privileged system access, credentials, or production changes. Procedures are limited to interviews, documentation review, and high-level observation.

No. Because the engagement is non-attesting and advisory, it does not preclude organizations from engaging accredited certification bodies, CPA firms, or regulators for future audits or certifications.

Most readiness assessments are completed within 2–4 weeks, depending on organizational size, scope, and availability.

Professional audit and assessment work requires significant time and judgment. Capacity is intentionally limited to ensure independence, quality, and sustainability, and to direct resources to organizations with the greatest need.

We believe that systemic cybersecurity and compliance risk increases when under-resourced organizations lack access to independent risk insight. The pro bono program reflects our commitment to improving governance and trust across the nonprofit and civic technology ecosystem.