How to combat charity fraud – strong internal controls

It is charity fraud awareness week. This is an opportunity for us to raise awareness and share good practice in tackling fraud and cybercrime within the Charity Sector.  Unfortunately, during lockdown the sector has seen high levels of fraud and therefore we need to be more aware than ever. In our view the best defence against fraud is having strong and robust internal controls. If operating effectively internal controls should be able to identify and prevent attacks against your organisation. This guide provides some practical answers to questions that we should all be asking of our own organisations.

If we asked you how often you carry out a review to challenge the effectiveness of your internal financial controls, what would you say?

Hopefully it’s at least once a year, an indication hinted at annually when you complete the charity’s annual return and are faced with a similar question; but there will be charities who apply the ‘if it ain’t broke don’t fix it’ philosophy and only act once something has gone wrong. Managing your charity’s finances and operations well, will make achieving its objectives much more successful. As trustees with a legal responsibility to protect the charity’s assets and mitigate identified risks, having the right set of checks and balances in place at all times is crucial. If you have been fortunate enough not to have suffered any fraudulent activities or theft, breaches or override of controls, or good old human error, this does not mean it will never happen, or that your existing controls continue to be adequate in an ever changing world. As your charity grows, relies on technology, or becomes more perceptible to outside threats, if financial controls do not evolve, they may well create the opportunity for loss.

What Are They?

What should you be considering? Here are some areas that will need your attention, and further helpful prompts can be found on the CC8 checklist provided from the Charity Commission’s website.

  • Accounting records maintained, making sure they are up to date and accessible to the right people.
  • Regular monitoring and reporting of financial activities.
  • Benefits of independent advice and review.
  • Risks of exposure relating to financial crime.
  • Segregation of duties.
  • Practical issues relating to the safekeeping of income and maximising gift aid.
  • Controls over expenditure authorisation and internal banking access and limits.
  • Assets and investments management.
  • Use of funds and restrictions.

It goes without saying, while rigid controls that may no longer be fit for purpose will fail to safeguard, a regular review process to update systems and maintain relevance will not eliminate every possible loss, but it is a strong line of defence and ensures they are as robust as possible. Your risk register should give you a guideline, as here you should have identified the significant risks that exist for your charity and the controls implemented.

How and How Often?

Do you actually need an annual review? Most likely, but it does not have to cover every area, every time. While some years you may (and should) consider all controls, some years you may focus on areas where change is rife and exposes more risk, new ventures your charity may be exploring and processes that have been flagged as weaker than they should be. You should be confident that all controls are being assessed over time. It may also be helpful to approach reviews differently year on year, to encourage a fresh approach. This may involve using alternate members of the finance team or other departments, starting with existing controls and shaking them down to test they remain endurable against current threats, or even bringing in an outside resource to undertake a review. You should also utilise new technology too. So many issues in the third sector rely on judgement and understanding; but why not introduce new software and appliances to your systems that can help monitor, analyse, and identify risks and failings in current processes. Embrace technology for the benefits it can bring, merging past knowledge and future insight.

The Benefits

As trustees you are responsible, you are the guards at the charity’s gates, and public perception and trust in your organisation can be tainted in several ways. The philanthropic vision you have and the goodwill you depend upon could be compromised by a disregard for the charity’s internal financial controls and practices. When you check the box on your annual return to agree you undertake an annual review of these controls, how comfortable are you that this has been thorough and can stand up to scrutiny? A transparent system that cares for the charity’s assets, manages, and mitigates risk, produces timely and accurate accounting information and controls financial transactions, will create opportunities for success. Do not forget to boast about spending time on these matters! Do you mention that you review these controls annually as part of your Trustees’ Report? Turn to any page of the press these days and there are negative stories indicating a lack of care and attention in the not for profit sector; help spread the word that in fact, the majority of the work supported by charities and being pushed forward across the nation is done with honesty and significant diligence.

Did You Know?

The Charity Commission’s main guidance is document CC8 “Internal financial controls for charities”. Some of it may seem a little outdated, consideration of online banking is as though it is a new technology for example. It has not been updated since July 2012, however the document remains relevant and the checklist is useful. OSCR also includes some guidance in section 5 of their publication “Guidance and Good Practice for Charity Trustees” issued in June 2016.

How do I Know if I am Doing a Good Job?

  • The Charity Commission’s self-assessment checklist – Do you refer to this source document as a helpful guide to areas that may require your attention?
  • Different views – Do you change the pattern of review year on year, and make sure the right people are involved?
  • Take action – Do you turn recommendations into action plans where an issue arises to keep your controls robust and relevant? Do you monitor if the change has been effective?

How we can Help

Read the CC8 guidance on internal controls and section 5 of the OSCR publication “Guidance and Good Practise for Charity Trustees“ and complete the related checklist. It is also worth considering the March 2017 Charity Guidance – Charity governance, finance, and resilience: 15 questions trustees should ask. Although not specifically concerned with internal controls it may help identify any significant issues. If you have any questions, please do not hesitate to get in touch with a charity sector member of your local MHA firm.