As part of the Charity Fraud Awareness Week, a joint campaign led by the Charity Commission and the Fraud Advisory Panel, a new website was launched dedicated to helping charities avoid fraud contains useful tips and guidance - www.charitiesagainstfraud.org.uk
The awareness week and website are another means by which the Charity Commission is seeking to fulfil its regulatory role. Fraud has been a problem affecting the charity sector (like many other sectors) for a long time. Estimates suggest fraud costs the UK economy some £193 billion, and the charity sector alone, in the region of £1.9 billion. This is in part because charities can be exploited by criminals, whether by the unauthorised use of charity brands to collect money from well-meaning donors and not passing those funds to the charities, or criminals working within charities and exploiting sometimes weak systems, for example where charities are unable to segregate duties for collecting, counting, accounting and banking cash donations.
The Commission emphasises the need for strong internal controls as part of governance. Evidently fraud deprives charities of funds to enable them to deliver services to their beneficiaries, but also threatens the reputation of the sector and trust in it.
But fraudsters are becoming increasingly sophisticated and despite having strong financial management, accounting and record keeping controls, fraud still happens. Mandate and payment fraud, where hackers access systems via the charity or a third party, and purport to authorise transactions internally, or manipulate payment instructions to divert payments to their own accounts, are increasingly common. Some “cons” dupe even the most sophisticated, and organisations with complex processes and procedures still fall foul of fraudsters. Internal controls need to cover a far greater area of activity to include for example cyber security, than they did historically. Perhaps more importantly charities could benefit from a review and testing of processes and procedures, training amongst trustees, staff and volunteers – and a healthy dose of scepticism in dealing with financial transactions.
The Commission’s strategy - referred to in its guidance as ‘the four strand approach’ - has been:
- to raise awareness with a view to seeking to prevent fraud
- to exercise its oversight and supervision function through its serious incident reporting regime
- to cooperate with other law enforcement and other government agencies
- where necessary to intervene using its regulatory powers
The Commission continues to emphasise the responsibility of charity trustees for the governance of their charity, and the role strong internal controls have in safeguarding the charity’s funds and assets. A regular review of internal controls, ensuring that carefully prepared policies and procedures are actually implemented, and training staff and volunteers, will not only reduce the risk of a fraud occurring, but will also help trustees demonstrate that they have exercised reasonable skill and care should a fraud occur.
Reporting fraud to the Charity Commission as a serious incident
It is worth remembering that any type of theft or fraud is likely to trigger an obligation to report a serious incident to the Commission. The current guidance is a little unclear as to whether charities only need to report ‘significant’ or ‘serious’ criminality or whether all criminal activity should be reported at whatever level. In practice most charities should report any incident of fraud or theft to the police and, as such, this will trigger an obligation to report a serious incident. The Commission’s new (draft) guidance on reporting serious incidents, which is currently out for consultation, is clearer and states that any criminality or incidents of fraud should be reported. Again, the responsibility for reporting rests with the charity trustees. A failure to implement appropriate internal controls may be regarded as a breach of trustee duties by the Commission but even they will recognise that even the most sophisticated processes and protocols cannot eliminate all risk.
The Commission’s new guidance on serious incidents is clear that the Commission will regard trustees’ failure to report a serious incident, either soon after the event or as part of the annual return, as a breach of the Charities Act. This is on the basis that trustees will have defaulted on the statutory requirement to provide certain information and documentation to the Commission.
Given the emphasis the Commission has been placing on trustees, especially in their guidance ‘CC3: The Essential Trustee’, where they state that a failure to follow best practice might be regarded as a breach of trustee duties, trustees and senior managers should take note of Charity Fraud Awareness Week and reconsider all internal controls, their breadth and implementation on a regular basis, and should also have a process to follow if an incident should occur.
Do please call us if you have a concern you would like to discuss. As well as a health check you should review your insurance policies to ensure they cover all types of cyber fraud.
And finally here is some further useful guidance from our friends at Charity Finance Group (CFG) and PKF Littlejohn.
Download A new focus on fraud.