It was a quiet morning last week when the phone rang. I answered.

“Hey, it's me!” said the voice on the other end of the line. He was one of my spies in the nonprofit world, the head of internal audit at a nationally known charity—a group that holds fund-raising walks all the time, and is no stranger to the occasional bout of bad publicity. “You guys need to write more ethics and compliance stuff for us on the charity side!”

Well, I asked, what exactly are you worried about? You don't have the Sarbanes-Oxley Act weighing over your head. You have no shareholders threatening proxy fights, or Securities and Exchange Commission probes into funny accounting metrics or quarterly financial statements. In fact, I said, I don't recall the Justice Department ever cracking down on a charity for violations of the Foreign Corrupt Practices Act, or the False Claims Act, or anything like that. Sounds to me like ethics and compliance professionals on the nonprofit side have a much easier time of things, right?

“Ha!” my friend scoffed. “Lemme tell you…”

And so he did, for a good half hour. The conversation was an interesting glimpse into an ethics and compliance world that we on the for-profit side would find vaguely familiar, and rather hair-raising at the same time.

First, my friend said, the word “charity” should apply to a specific sort of nonprofit organization. He considers large nonprofit enterprises—state universities, government agencies, teaching hospitals and the like—to be quite different from groups like his. Those enterprises can be enormous institutions with diverse operations, and budgets that easily run into the billions and workforces of 10,000 or more. “Those guys really do try to be ‘SOX-like' in their compliance operations, because they do so much and depend so much on government money,” he explained. “They're not like me at all.”

Charities like his, he said, operate under radically different circumstances:  They exist to raise money, and then distribute that money to their stated cause. That's it. So they have much smaller staffs, but at the same time they also have many more “workers” who are usually volunteers. “These are the people raising money for us, and we're thrilled that they're so dedicated,” my friend said. “But we can't expect these people to know much about the tax code and compliance. Expertise there is always an issue.”

Indeed, when you consider the full range of tax code items that apply to charities, you wonder if anyone has complete expertise on the issue. All nonprofits (other than government agencies) do file a tax return, the Form 990. That form also includes compensation for top executives, so it does serve as “our version of SOX,” my nonprofit friend said. He can't expect local chapters and volunteers to know the intricacy of federal tax law, so it falls to him to ensure compliance.

Even more challenging is the maze of state tax rules, which would leave even the most cynical and savvy compliance officers wondering what the regulators were thinking. In California, for example, if you host a fund-raiser that serves cold food, the event is tax-exempt; if you serve hot food, it's not. Along the same incomprehensible lines, Nebraska recently changed state law that any “athletic event” is now entertainment, and therefore taxable—which would include all those walks for the cause. Why? Who knows? Considering how rabid Cornhusker fans are, I would have thought Nebraska would deem athletic events as sacred as church services on Easter Sunday.

The 48 other states all have their own quirks too, compliance officers in the charitable world must track them all. My friend says he depends on the pro bono practices of law firms around the country that follow these developments, but even he admits that he's not sure anyone understands all the laws and regulations that might exist out there. And all those local laws are enforced by state attorneys general or secretaries of state, who may well have political motivations to pick a fight with a notable charity and score a few choice headlines while running for office.

Well that all sounds like quite the handful, I told my friend. But at least you don't have shareholders tugging at your board's sleeve all the time.

“No, we don't have shareholders,” my friend said. “We have the public.”

And that might be the most challenging part of compliance and risk management for charities: the reality that everyone considers your conduct their business, especially if you hope that they'll donate money to you. My friend diplomatically describes these people as “non-supporters who feel like they have a say in your organization,” but he also readily admits that those non-supporters aren't wrong to feel like that. His charity is asking the public for money, so the public has every right to express an opinion about how that money is collected and spent.

We've seen plenty of examples of that, most recently the Susan G. Komen Foundation's retreat on curtailing grants to Planned Parenthood earlier this year. In past years we've also seen executives forced out of the Red Cross, NAACP, and elsewhere due to what the public perceived to be bloated pay packagages, or misguided priorities, or similar reasons. Early in my own career, I wrote about a local chapter of the Animal Rescue League using a property originally intended for an animal shelter as a home for one of the ARL's executives. The local townspeople certainly weren't “shareholders” per se, but they had no qualms about telling the ARL to convert its property into a shelter, pronto.

So perhaps the grass is not greener on the other side after all. Maybe a different cliche is the better fit: things are tough all over.