[Owasp-board] on chapter finances (was Re: FW: Audit of OWASP)

Andrew van der Stock vanderaj at owasp.org
Fri Jun 8 16:04:28 UTC 2007

Wiki == truthiness. Accounts need to be managed a bit better than Wiki as
the primary source. Budgets (project expenses) are acceptable on the Wiki as
we can look through the history, but where we manage funds, it must have
integrity to be believable. We don¹t want 100+ off-sheet balance sheets ­
it¹s totally impractical to manage. I don¹t want us to be paying the
accountant to grovel through 100+ pages at $whatever per hour to find the
latest expenses. We¹d be better off burning the money.

We can pay chapters for a fair amount via credit card for known future
expenses (such as mini-confs or approved travel), or reimburse regular
meeting expenses (pizza, etc) via PayPal. However, we must draw up a list of
acceptable items for chapters to expense so there¹s no misunderstanding,
particularly if we can¹t / wont fund some items (e.g. as an extreme example,
strippers, but more likely to be things like projectors, etc which should
come with the room of the sponsor).

But before we get to jumping over huge lakes before we can crawl, we need

* Draw up a list of acceptable expense items (which we can revise from time
to time) 
* Draw up travel approval process for chapter leads so that we can manage
the travel of speakers and make sure it doesn¹t become an out of control
* Draw up a budget template page in the Wiki  so that chapter leads can
propose how they would like to spend their chapter allowance
* Draw up a process so that leads can be reimbursed properly ­ like how do
we know Joe Blogs is a chapter lead?
* Set aside some budget for chapter allowances, and work out how much each
chapter may draw upon that budget

We also need to strongly encourage chapter leads who heavily use chapter
allowances to generate income by encouraging folks to join OWASP. Let¹s
change the sign in sheets to include a ³Member² column, where folks can tick
if they are members, and we would encourage leads to check this (we may need
a private web service for this). That way, we can grow on income as well as
expenses. Unlike a government, we must have a positive cash flow. If we do
too much, we will have to cut back on our future plans, future conferences,
future SeasonOfCode, member benefits, and that helps no one.

I propose we:

* Use 30% of our funds for a maximum of one SeasonOfX per year and any
intern(s) OWASP hires
* Use 20% of our funds for member services, such as chapter meetings, mini
confs, speaker travel
* Use 30% of our funds for conference related expenses ­ usually pays back
by about 10-30% return. Put in $100,000, get $110,000 to $130,000 in return
* Use 10% of our funds as a maximum for administrivia, face to face board
meetings, back office (hosting fees, accountancy, bank fees, etc), admin
* 10% as a contingency / future development fund ­ this is where the full
time equivalent would be funded from (eventually)

It is my understanding that our income is primarily from advertising banners
(which supports our hosting, about $1k per month), generous ­ and often once
off ­ corporate sponsorships, and conference income (which only comes after
spending a bucket load of money and effort). I believe (but am unsure) that
we have very little income from individual memberships, but have many folks
who attend OWASP meetings and use our mail lists. We do not have enough
diverse sources of income to weather the loss of any one of these.

Let¹s look at this historically:

                 2004            2005             2006 (through August last
income      $28,201.71   $112,429.80   $124,845.06
Expenses   $19,585.28   $58,154.13    $101,759.10
Net income  $9,386.07   $63,011.82    $87,570.86

We¹ve spent our previous three year¹s net income in two SeasonOfCodes in the
last 12 months. This is simply not sustainable without more income. I¹d
really like us to think about budgeting through the next twelve months, and
let¹s agree to some fiscally responsible budgets so OWASP can grow and to
continue to do the things like SeasonOfCode and conferences, which have
really vastly improved OWASP¹s stature, quality and breadth of materials,
and membership value.

I¹d really like to see everyone¹s budget wish lists like I¹ve done above.


On 6/7/07 7:02 PM, "Dinis Cruz" <dinis at ddplus.net> wrote:

> The money flows with the local chapters is something the we need to resolve
> One idea that we were playing with at the chapters meeting in Italy was that
> we could define a list of stuff that the OWASP can pay centrally (via credit
> card or wire transfer)
> From http://www.owasp.org/index.php/Chapter_Leader_Meeting_AppSec_Europe_2007
> How do we finances local chapters? A list should be compiled of what OWASP
> could pay for centrally if the need occurs:
> *  Catering 
> *  Liability insurance - normally to be covered by the premise host sponsor!
> *  PR 
> *  Marketing material
> Policy and procedures to be set up for this.
> For example I like the idea that each project leader is responsible for
> managing his/hers budget via a WIKI page (we should make one of them
> responsible for every week sending a list of bills to pay to OWASP)
> Those local funds would be created by 50% of individual memberships and by the
> % allocated by the 'Organization' members (which in addition to OWASP projects
> could also say 'I want 30% of my fees to go to support the local chapter')
> This would create an incentive for each chapter to generate revenue
> What do you think?
> Either way, we need to have a solution for local chapter finances, especially
> with the mini conferences around Europe (Finland might be next) and companies
> starting to give money sponsorships to local chapters (the F5 1000 Euros to
> the Belgium chapter)
> Dinis
> On 6/7/07, Andrew van der Stock <vanderaj at owasp.org> wrote:
>> Folks,
>> I agree ­ 2006 is the year we had the most funds, and I'm sure it will show
>> that everything is in order if we do a full audit. It's also the first year
>> that all four of us were on board as a team, and therefore demonstrates that
>> we've been fiscally responsible (assuming everything is indeed okay). As this
>> is an expense that was going to catch up with us in one way or another, let's
>> get it out of the road, and pay the $5k for the 2006 full audit, but let's
>> keep on top of things from here on in.
>> Dinis, can you please keep an eye out for new memberships that derive from
>> our increased transparency. For example, if you know of a few folks who would
>> join, but currently are not, we should chase them down afterwards to help pay
>> for the audit. 
>> Although we are a non-profit, this does not mean we spend everything every
>> year. We should look towards one day having a paid staff. Without having
>> something in the kitty for that eventuality, we will only grow so big. This
>> happened to SAGE-AU, and we were stuck at 750 members for years because of
>> it. Only when we got a full time admin assistant processing memberships, and
>> an Executive Director on board did they start growing again. SAGE-AU now has
>> over 2000 financial members today.
>> We should really start converting more chapters into mostly individual
>> members. Having a steady stream of income pays for these sorts of things. At
>> all of the meetings I've been to so far, there's been no pressure to join.
>> Think about what we can do with chapters like NY/NJ with over 100 members if
>> they were all financial to the tune of $100 or so? That's $10k and one
>> chapter. But there has to be a reason for folks to pay. Let's work up a
>> schedule of things that are member-only.
>> Thanks,
>> Andrew
>> On 6/7/07 7:53 AM, "Dinis Cruz" <dinis at ddplus.net> wrote:
>>> I agree that this will pay itself  easily, and we need to look at it as a
>>> OWASP operational expense.
>>> And btw, we also need to have the numbers of what are the monthly OWASP
>>> operation expenses. So that we can plan our budgets.
>>> Dinis
>>> On 6/7/07, Jeff Williams <jeff.williams at owasp.org> wrote:
>>>> I really hate to waste OWASP's precious funds, but I think Dinis is right ­
>>>> this will probably pay for itself many times over.
>>>> --Jeff
>>>> From: owasp-board-bounces at lists.owasp.org
>>>> <mailto:owasp-board-bounces at lists.owasp.org>
>>>> <mailto:owasp-board-bounces at lists.owasp.org> [
>>>> mailto:owasp-board-bounces at lists.owasp.org]
>>>> <mailto:owasp-board-bounces at lists.owasp.org%5D>  On Behalf Of Dinis Cruz
>>>> Sent: Thursday, June 07, 2007 5:36 AM
>>>> To: OWASP Board
>>>> Subject: Re: [Owasp-board] FW: Audit of OWASP
>>>> I think we should go for the 5k option. In things like finance we need to
>>>> be as transparent and clear as possible. And since the simple review is
>>>> 3,500 we might as well go a bit further and do the 5,000.
>>>> I do think that this is money very well spent, and something that our
>>>> existing and potential members will really appreciate.
>>>> And once this is completed, I would like to issue a Press Release about it
>>>> since we are starting to be a very good success story. And the more
>>>> visibility we have in issues like this, the easier will be for certain
>>>> companies to become OWASP members.
>>>> Dinis
>>>> On 6/7/07, Dave Wichers <dave.wichers at owasp.org> wrote:
>>>> Dinis,
>>>> I haven't looked at the 990 yet as we just got it, but what do you think
>>>> about doing this instead of spending $5K-$10K on some kind of formal audit.
>>>> I'd really rather spend that $ on something else.
>>>> This company is the company that has been doing the OWASP Tax Returns for
>>>> the past two years.
>>>> -Dave
>>>> From: Andi McDowell
>>>> Sent: Wednesday, June 06, 2007 11:44 AM
>>>> To: Dave Wichers; Jeff Williams
>>>> Subject: Audit of OWASP
>>>> I talked with Carol Malstrom at TR Klien (They prepare the OWASP 990).  Her
>>>> original thought was that we could post the 990 (which is what OWASP files
>>>> for taxes) on the OWASP site.  For a full audit of 2006, the cost would be
>>>> around $5,000.  For an audit back to when OWASP started with us, it would
>>>> run about $10k.  She felt an audit of 2006 should be sufficient as they
>>>> would review all of the beginning balances for the year.   Her feeling was
>>>> that if no one is forcing an audit, it seems an unnecessary expense.
>>>> The final option would be to do a simple review, which would cost $3500 for
>>>> 2006, $6k for 2005 and 2006.  They simply send a letter saying "we've
>>>> reviewed the books and everything appears to be in order".
>>>> Let me know what you would prefer doing.
>>>> Andi
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070608/5c974d7b/attachment-0002.html>

More information about the Owasp-board mailing list