Charities are built on trust but, alarmingly, they are not immune to fraud, including from within. Sam Burne James unmasks the risks of insider fraud and shares expert advice on how to prevent and manage it.
What words would you use to describe your colleagues in the charity sector?
Passionate? Resilient? Innovative? Trustworthy? Hopefully a mix of those – and more.
But ‘potential fraudster’? Hopefully not. However, there is a growing understanding in the sector that fraud risks come from all corners, and that includes insiders. With late November’s Charity Fraud Awareness Week (CFAW) 2024 fast approaching, Charity Finance Group spoke to experts about facing up to that risk.
“It’s crucial not to assume that working in the charity sector, alongside kind and well-meaning individuals, exempts charities from the risk of insider fraud,” comments Dr Rasha Kassem, a Senior Lecturer at Aston Business School and also a certified fraud examiner.
"If you asked auditors who work with charities, they would emphasise a significant risk of fraud within these organisations. However, I’m not convinced that all charity directors and donors fully acknowledge this concern."
Dr Rasha Kassem, Aston Business School and Phil Sapey, Cancer Research UK.
Recent news headlines – a YMCA finance manager jailed in March for stealing £300,000; a father and son imprisoned in September having swindled £1m from the National Trust; and a woman being convicted in October for taking £86,000 from a charity set up in memory of her best friend’s daughter – back up Kassem’s assertions. So does the fact that they are not the only such stories surfacing in 2024.
So did last year’s Charity Fraud Report by BDO, showing that 50% of fraud detected in charities was committed by staff, members, volunteers or trustees – a figure that was slightly higher (54%) in 2022, and lower (43%) in 2021’s inaugural survey. Another 10% was perpetrated by beneficiaries or suppliers.
Charity fraud experts agree that while this risk needs to be taken seriously, it doesn’t mean casting constant suspicion.
“In my experience, it is only a small proportion of people out there who will set out from the start to defraud you,” explains Phil Sapey, Counter Fraud Manager at Cancer Research UK.
It is more likely, Sapey continues, “that someone is honest initially, but then life happens – they get divorced, or their partner loses their job, or they start gambling a bit too much. And then all of a sudden they realise that they can sign off their own expenses, or see whatever other opportunity to cut corners”.
The cost-of-living crisis, not to mention that those in charities are likely to receive less pay and fewer benefits than in other sectors, add to what Sapey calls “push factors”. When desperation and opportunity coincide, those hitherto earnest colleagues may start to rationalise unethical behaviour.
Tackling all forms of fraud, especially insider fraud, requires a whole-organisation approach, according to British Red Cross's Head of Internal Audit Claire White.
“Ultimately,” she says, “preventing fraud is not just about our team of three people sitting in internal audit, it’s about the 3,000 people across the organisation, our 12,000 volunteers, that culture as a whole, and in particular managers feeling confident to spot and report it.”
It sounds great in principle, but how do you create that in practice? Based on conversations with the aforementioned experts and others, here are 13 top tips.
1) Check out regulators’ guidance
The Charity Commission for England and Wales (CCEW) pointed CFG towards Internal financial controls for charities (CC8) as its key guidance relating to fraud prevention – as well as suggesting some may find it useful to start with one of its 5-minute guides on financial management, or the publication Charity governance, finance and resilience: 15 questions trustees should ask.
In addition, CCEW will be publishing new guides to fraud and cyber security during CFAW.
The Office of the Scottish Charity Regulator (OSCR) directed us to a section on its website on fraud, and to two recent reports – one on financial management and another on dominant behaviour in charities – which summarise learnings from its inquiries.
The Charity Commission for Northern Ireland lays out its position on this page.
All three regulators also expect charities to report serious incidents or concerns to them. If in doubt, charities should err on the side of caution and report it.
2) Awareness Week resources and events
Do you want to attend one of several free in-person and online events about charity fraud awareness and prevention in November? There are several events and webinars being held during CFAW.
Hope Sapey, a senior executive at the Fraud Advisory Panel, the charity organising CFAW, says it will add to its existing range of resources with new publications during the week. “We always write our guides with the intention of a non-specialist being able to pick them up and run with them, so that even if you don’t have any specific financial background, they’re still accessible,” she comments.
During CFAW, the Fraud Advisory Panel and BDO will also publish the fourth Charity Fraud Survey, which this year will include questions on ECCTA, a newly introduced law (more on this further down the article).
Claire White, British Red Cross and Mazeda Alam, Charity Commission for England and Wales.
3) Don’t be overawed
In the movies, fraudsters are big-brain tricksters with such cunning and guile that nobody is safe. That dramatic portrayal could kid charities into feeling intimidated or overthinking the matter. The reality is that a lot of fraud is basic and opportunistic rather than Moriarty-esque, and can be snuffed out by relatively basic controls. The phrase ‘trust is not a control’ comes up a lot in interviews.
"Anti-fraud measures don't have to be hugely complex,” says Mazeda Alam, Head of Guidance and Practice at CCEW. “One of the big things is making sure your authorisation process is robust and requires more than one person to approve any expenditure.”
Tracey Kenworthy, counter fraud director at BDO, agrees: “While trust is a fundamental part of organisational culture, it does not replace simple financial and other fraud-related controls. With our survey and through Charity Fraud Awareness Week, we're trying to get across the message that there are lots of simple things charities can do to prevent fraud – it's not something that has to involve huge time and expense.”
4) Talk about it
Simply being aware that your organisation is not immune to fraud is a “great first step” to combatting it, Kenworthy adds.
Alam adds: “We recommend doing what you can to promote a culture of fraud awareness, such as sending monthly emails to remind staff, volunteers and trustees how to spot a phishing email.”
“There might have been a time a few years ago when people in the sector weren’t happy to talk so openly about fraud, especially insider fraud,” says White from the British Red Cross. “But I think that is changing. We’re making sure we talk more internally.
“By sharing stories of some of the things we’ve come across as an organisation, it helps start the conversation because people are intrigued, and hopefully horrified as well, and then they start to think about how it could happen to them or their team, which can prompt behaviour change.”
Fraud prevention is not an issue to sit in your risk register and be revised periodically, then briefly acknowledged during CFAW, rather it is something to be discussed year-round, across your organisation.
That approach could also extend to training. Lucy Morgan, associate director for legal, compliance and governance at Breast Cancer Now, describes: “We have purchased online anti-fraud training for all our staff, and the fundraising team runs fundraising fraud training. Both of these are annual requirements for all staff in the organisation, to ensure everyone is alert to potential risks and knows how to act if they encounter potential fraud.”
5) Get all trustees on board
As in all areas of charity management and culture, everything ultimately starts with the trustees. Ensuring that they are aware of the risk of fraud broadly, and insider fraud specifically, and see it as a risk that needs to be managed, is crucial. And that means all trustees, not just some.
“It's really important on boards that there isn't an assumption that finance is solely the responsibility of the treasurer, or of a specific sub-committee, or that you just trust whatever the senior management tells you,” explains Alam from CCEW.
She goes on to point out: “This is particularly important when it comes to insider fraud, because you are particularly vulnerable to that if there isn't enough oversight, or if there is just one individual in charge and there is no dual authorisation or checking.”
6) Data can give you a head start
Few charity finance professionals would be able, or would want, to keep a constant eye on everything happening in their charity. Data is your friend, interviewees say.
“Data-driven insights can really help. Think about what data you’ve got available, or the data you need to get access to, which could show something going wrong, or something that needs to be looked at,” comments Sapey from CRUK.
“Anomalies you find might well not actually be fraud, it could be an honest mistake or something else going wrong, but data can flag up things you need to check.”
7) Ask your auditors
CFG is aware that charity finance professionals can find audit to be an increasingly frustrating process, and some feel it offers little value to their organisations.
Nonetheless, you should invite your auditors to challenge you on whether your fraud prevention policies are robust, argues BRC’s White. “Having fresh eyes is always useful,” she comments.
8) Always report to Action Fraud and regulators
All fraud should be reported to Action Fraud, the UK’s national reporting centre for fraud and cybercrime, in addition to notifying the regulator.
Various interviewees for this piece admitted that, especially in cases where fraud was either thwarted or only resulted in a relatively small loss, going to Action Fraud might feel like a bit of a time-wasting, box-ticking exercise given police resourcing and the very low prospect of conviction.
But there also was an agreement that it was irresponsible not to report. Going to Action Fraud means that its data and insights are as accurate as possible, and that there is at least a chance of justice being done.
Interviewees concurred that dismissing someone after an investigation, or suggesting to them that they resign, neglects your duty to protect other organisations which might be their next victim.
9) Let people report with confidence
“Ensure that fraud reporting in your organisation is straightforward and that individuals feel safe doing so,” recommends Dr Kassem from Aston Business School.
“While an anonymous whistleblowing line is a good start, employees may lack confidence in its anonymity,” she warns. “To reinforce trust, clearly communicate how the system works and the measures in place to protect anonymity. Consider using a third-party service for report management, and offer multiple reporting channels – like web forms and phone lines – to maintain confidentiality.”
Lucy Morgan, Breast Cancer Now and Rebecca Cumming, Russell-Cooke.
10) Cultural awareness
An international NGO finance leader points out that attitudes and practices vary significantly across the world. Data a few years ago suggested that one in three people in Latin America have had to bribe a public official just as part of everyday life.
Operating in an environment where fraud is prevalent and overt presents significant challenges for an organisation which would not tolerate nor participate in such behaviour. There are no easy answers to this, although some may be raised by the next point…
11) Network and learn
Finance leaders interviewed for this piece were unanimous that learning and networking – getting an understanding of what other charities are experiencing and how they are responding to it – has been invaluable to their fraud prevention practice.
Suggestions for organisations with relevant guidance, events or content included CFG itself; the aforementioned Fraud Advisory Panel; the Institute of Internal Auditors, the Charities Internal Audit Network, the Association of Certified Fraud Examiners; and the Chartered Institute of Public Finance and Accountancy.
There was a suggestion charities might benefit from joining the National Fraud Initiative, a data matching operation operated by the Public Sector Fraud Authority. Two private LinkedIn groups, the Charity and Not For Profit Accountants and Finance Professionals Group and another created by fraud prevention service service Cifas, were also cited.
Nonetheless, questions were asked about how these groups might be better supported and strengthened, in particular to make them more definitive or ‘official’. Morgan from Breast Cancer Now comments: “It would be helpful to have a central repository of information about frauds and suspected frauds for the charity sector, but this does not exist at present.”
12) Get up to speed with ECCTA
There’s a new law in town. Rebecca Cumming, a Senior Associate at Russell-Cooke, explains that the Economic Crime and Corporate Transparency Act 2023 introduced a new offence of ‘failure to prevent fraud’.
Cumming acknowledges that this might sound somewhat scary to financial leaders but says there are some important caveats. “Firstly, the offence cannot be committed where the organisation is the intended victim of the fraud, so a charity would not be liable where, for example, an employee defrauds the charity,” she says.
Instead, it would be relevant if, for example, a charity employee deliberately included false statements in a grant application or procurement bid, in order to secure a contract or funding.
“Secondly,” Cumming continues, “the threshold for being a ‘large’ organisation is quite high and so only the largest corporate charities will be caught. Nonetheless, charities that do meet the threshold should consider the implications and ensure they have policies and procedures in place to prevent fraud being committed on their behalf.”
The Government’s official guidance on ECCTA is expected to be published before December although it is likely to be high-level rather than a detailed ‘how-to’ guide to compliance.
13) Don’t be cosy, be awkward
While we should all aspire to fostering nurturing, supportive cultures in the charity sector, that family feel mustn’t be taken too far.
Says Alam at CCEW: “While internal fraud can happen anywhere if the right controls aren’t in place, the risk tends to be higher in smaller, local charities where everyone knows each other well – perhaps trustees are family members or friends. In these situations, people are more likely to rely on trust or feel uncomfortable asking to check information.”
The regulator will be releasing updated guidance next year on encouraging trustee boards to cast their net more widely, to “ensure that fewer charities fall into tricky situations and can maintain good financial controls”, she adds.
Nonetheless, it may still feel awkward talking about fraud. Professionalism needs to trump such squeamishness, urges Robb Montgomery, Head of Counter Fraud at Save the Children.
“The question is would you rather be having the occasional questioning conversation internally with someone, and perhaps it turns out that there wasn't anything untoward happening and there's a simple explanation? Or would you rather be having a very awkward conversation with a Charity Commission investigator, or your major donor or a journalist?”
Montgomery concludes: “It's much more worthwhile having that small bit of discomfort immediately than letting it slide.”