CFG's Special Advisor Pesh Framjee provides practical advice on the issue of fraud. This two part series takes an in-depth look at what fraud is and isn't, the 'recipe for fraud' and practical steps to prevention.
Fraud is not rife in the non-profit/charity sector. However, having worked on a number of fraud investigations over the years, my experience is that it is naïve to believe that people would not sink to defrauding a non-profit.
The very nature of many non-profit organisation’s operating environment often means that there is possibility and scope for fraud.
What is fraud?
Until the passing of the Fraud Act 2006, ‘fraud’ was not defined in UK statute and the courts determined when dishonest conduct becomes fraud. Most of the relevant legislation was found in the Theft Act 1968.
The rationale behind creating the Fraud Act (the Act) was to simplify the law in this area by creating separate free-standing fraud offences. The old crimes of dishonesty have been revoked by the Act and, accordingly, the need to categorise perceived dishonest behaviour as one of the crimes of deception/dishonesty referred to above has been removed. Three main fraud offences are created by the Act.
Fraud by false representation (section 2) is designed to cater for situations where the off ender knows they are making a representation which is false or misleading, or that may be false or misleading. Importantly, the victim of the false representation need not necessarily rely upon or be deceived by it. The law requires that the person making the representation does so with the intention of making a gain or causing loss or risk of loss to another. The gain or loss does not actually have to take place. The same requirement applies to conduct criminalised by sections 3 and 4 (see below).
A representation is defined as false if it is untrue or misleading and the person making it knows that it is, or might be, untrue or misleading. There is no limitation on the way in which the representation is made. So it could be oral or written representation or posted on a website.
Fraud by failing to disclose information (section 3). This applies where there is a legal duty to disclose. This could include a statutory, fiduciary or contractual duty.
A person commits an offence if they:
- dishonestly fail to disclose to another person information which they are under legal duty to disclose, and
- intend, by failing to disclose the information, to make a gain for themselves or another or to cause a loss to another or to expose another to a risk of loss.
Fraud by abusing a position of trust (section 4) focuses on the nature of the relationship between victim and defendant at the time of the alleged fraud. A fraud offence is committed by dishonestly abusing one’s position. It applies in situations where a person has been put in a privileged position, and by virtue of this position is expected to safeguard another’s financial interests or not act against those interests.
The recipe for fraud
Areas to consider are:
- Opportunity: how easy is it (does the fraudster have access to the systems, ledgers, assets etc? Are there controls?
- Incentive: is it worthwhile?
- Detection: will the fraud be discovered?
- Sanction: what is the likelihood of real sanction – for example, prosecution?
- Motive: lifestyle, commitments of employees and also morale are important here.
- Rationalisation: can the individual rationalise the action?
- Business ethic: in some locations the business ethic almost accepts that corruption/bribery and fraud is an acceptable form of behaviour.
It is also important to be alert to fraud indicators and weaknesses in methods of prevention and detection. Bear in mind the risk of management override of controls.
Tone at the top
The Charity Commission for England and Wales has published Compliance Toolkit: Protecting Charities from Harm, Chapter three deals with fraud and financial crime.
This states: 'Trustees have a legal duty and responsibility under charity law to protect the funds and other property of their charity so that it can be applied for its intended beneficiaries. They must also comply with the general law (and overseas law where applicable) including in relation to the prevention of fraud, money laundering and terrorist financing.'
'Fraud will flourish in an environment of weak governance and poor financial management. So this means that the protection of charity funds begins with having robust financial control systems within a framework of strong and effective governance.'
In summary, the Boards and, through them, management, are responsible for establishing and maintaining adequate financial and other records and internal control systems.
In fulfilling that responsibility, they must assess the expected benefits and related cost of management information and of control procedures. It is not enough to work on trust and this must be accepted throughout the organisation.
The objective is to provide a high level of, but not absolute, assurance that assets are safeguarded against loss from unauthorised use or disposition.
To do this, operations and controls need to be properly monitored and evaluated, transactions need to executed in accordance with established procedures and recorded properly.
Because of inherent limitations in any accounting and internal control system, errors or irregularities may nevertheless occur and not be detected.
Also, projection or any evaluation of the systems to future periods is subject to the risk that management information and control procedures may become inadequate because of changes in conditions or that the degree of compliance with those procedures may deteriorate.
It is not enough to design good controls. It is important that there is buy-in to the need for the controls so that the controls are understood, complied with and observed. It is also necessary for procedures to ensure that controls are not being overridden.
In the non-profit sector there is sometimes a culture that assumes that individuals always do what they should do, when they should do it and in the right way without supervisory and monitoring controls.
Boards and management may have faith in a control and it may be believed that the residual risk is low, but without knowing that the control is operating consistently there will be a degree of false comfort. It is therefore important that regular reviews are undertaken to ensure that there is evidence that the control is in operation.
Empowerment and accountability
Many non-profits try to foster a culture of empowerment with staff, partners and those they support. In practice, this is only effective when those individuals are able to rely on realistic policies to set the parameters and framework for decision making. This means that often the non-profit needs to focus on capacity building and support as a means to true empowerment.
True empowerment requires an enabling environment and this means that the non-profit must ensure that those it is trying to empower have the aptitude, core competencies, values and skill base to properly use tools, methodologies and policies to support both accountability and devolved decision making.
True empowerment is only possible when suitably experienced individuals take decisions within their competence and within an agreed framework that does not require constant reference to others for prior approval.
Non-profits are often reluctant to properly address performance issues and simply move people and problems around in a way that contributes to decline.
True and effective empowerment needs three components: responsibility, authority, and accountability. Whenever a process, activity or task is being transferred to a team or an individual, all three components need to be considered.
The correct balance will be achieved only when individuals or teams have a clear understanding of responsibilities, the authority necessary to fulfil these responsibilities, and the accountability for the consequences of what they have done or failed to do.
Fraud risk management
While there is no one sized fit all approach, it is important to have a framework to prevent, detect and respond to risk. An effective framework will act as a deterrence. A typical framework is depicted below.
For the framework to be effective, board and management must:
- deliver and reinforce an ethical tone at the top
- ensure that there are effective internal controls
- encourage proper whistle blowing
- prevent reprisals
- ensure that there is required training
- create the proper culture
- demand accountability.
False accounting and accounting bias
Fraudulent report is a common fraud risk in the private sector. It is driven by bottom line pressures to meet analysts’ expectations, compensation incentives, goals and targets. These factors do not normally feature strongly in the non-profit sector.
Therefore, fraud in the non-profit sector is not usually carried out by falsifying the financial statements. Falsifying statutory accounts usually provides no benefit, as it would for a for profit company. There is normally no real benefit in showing a higher profit to avail of artificial share prices or unearned bonuses.
However, falsifying accounts can be used to permit a fraud or to avoid detection. As a generality, the non-profit represented by its management and its Boards does not actively try to falsify accounts as there are not the same compelling incentives to do so.
However, there may be particular issues where there are bonuses paid on the basis of results. It is important to note that this does not require consideration only of areas where the profit or surplus is increased.
In some cases, the bonus threshold may have been reached and it may be advantageous to ‘carry forward’ credits by setting up provisions or deferring the recognition of income.
Types of Fraud
In the non-profit world, fraud is usually carried out through misappropriation or theft. Simplistically, this can be divided into three kinds.
- Frauds of diversion
This is where income or other assets due to the non-profit are diverted before they are entered into the accounting records or control data of the non-profit.
Not-for-profit organisations are usually more susceptible to this kind of fraud than other organisations. Essentially, with charities, it is easy to check what is there but very difficult to establish that it is all there. Therefore, ensuring the completeness of income or gifts in kind provided to a non-profit becomes difficult.
With trading organisations there are invoices, despatch notes, job sheets, stock controls, debtor ledgers, profit margin analysis, etc which all support a control environment which assist in ensuring that all the income due to the organisation has been received.
Charities often receive voluntary income that cannot be monitored and controlled until it is received at the organisation’s premises. Therefore, controls such as proper mail opening, recording and processing procedures, analysis of direct mail response rates, sensible analytical review of fundraising and income generation activities have to be relied upon.
To consider this, it is important to understand where the income comes in, who it comes from and what it is for. In essence, both management and auditors need to understand the different income streams and how they are controlled before it is possible to consider fraud risk.
For example: there is little point in considering donation income as one figure if income is received through direct debit and standing order as it will have a different audit risk profile to income received by home based fundraisers, in a post room or at a fulfilment house.
- Frauds of extraction
This is where income or assets in possession of the organisation are misappropriated. These often involve the management or employees since they require assets that are already in the possession of the organisation being extracted fraudulently. This could be by false invoices, overcharging or making unauthorised grant payments.
Funds can also be extracted through mandate fraud. This is where someone gets the organisation to change a direct debit, standing order or bank transfer mandate, by purporting to be an organisation that the organisation makes regular payments to. These are often quite sophisticated scams which on the face of it appear credible.
In other cases, payments staff may receive emails purportedly from senior management instructing them to make a payment.
Essentially, such frauds are carried out due to weaknesses in physical controls over assets and system weaknesses in the purchases, creditors and payments cycle.
The cycle can be evaluated by considering questions such as: who authorises incurring a liability and making a payment? On what evidence? Who records liabilities and payments? Who pays them and who checks them?
There is a greater inherent risk with charities as the expenditure may not be made for a quantifiable or easily identifiable exchange transaction.
With a for-profit company, it is usually possible to use gross margins, physical verification etc to confirm that expenditure is valid. With a non-profit organisation, a payment may be by way of grant, or expenditure may be incurred to do ‘good works’.
As with income, it is important to consider expenditure to understand where it goes out from and the system to monitor and control it. This is particularly important when expenditure is incurred at different locations, be they overseas or at branch offices.
For example, the accounts may show a number for overseas expenditure but it is important to understand the different components. How much of the expenditure has actually been incurred in the UK? If the expenditure is incurred overseas, is it incurred by the organisation’s own staff or is it an onward payment made to partner organisations? This also requires an understanding of the payment controls at different locations.
If payments are made by way of grant, how does the organisation ensure that the funds have reached the right place? Are there records of receipt, thank you letters etc? It is also important to understand the different payment mechanisms — for example, the controls over payments made by cheque, BACS and standing orders.
BACS can be a particular issue. The banks often require only one administrator who can override other segregation of duty controls. Charities should investigate who has the authority to set up new users and new passwords.
- Backhanders and inducements
Charities often commission large contracts for work and this can lead to the risk of ‘backhanders’. The best way to combat this is to have good tendering and purchasing procedures with adequate reviews and supervision.
Most charities also take comfort from the fact that more than one individual takes decisions on large spends or commissioning of services.
Auditors’ responsibilities
International Standards on Auditing (ISA) (UK & Ireland) 240 covers the auditor’s responsibility to consider fraud in an audit of financial statements.
Misstatements in the financial statements can arise from fraud or error. The distinguishing factor between fraud and error is whether the underlying action that results in the financial statements is intentional or unintentional.
The term ‘error’ refers to an unintentional misstatement in financial statements including the omission of an amount or a disclosure, such as the following:
- A mistake in gathering or processing data from which financial statements are prepared.
- An incorrect accounting estimate arising from oversight or misinterpretation of facts.
- A mistake in the application of accounting principles relating to measurement, recognition, classification, presentation or disclosure.
Two types of intentional misstatements are relevant to an auditor, that is, misstatements resulting from fraudulent reporting and misstatements resulting from misappropriation of assets. Fraudulent financial reporting may be accomplished by:
- Manipulation, falsification (including forgery), or alteration of accounting records or supporting documentation from which the financial statements are prepared.
- Misrepresentation in, or intentional omission from, the financial statements of events, transactions or other significant information.
- Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation, or disclosure.
Fraudulent financial reporting often involves management override of controls that may otherwise appear to be operating effectively. Fraud can be committed by management overriding controls using such techniques as:
- Recording fictitious journal entries particularly close to the end of an accounting period, to manipulate operating results or achieve other objectives.
- Inappropriately adjusting assumptions and changing judgements used to estimate account balances.
- Omitting, advancing or delaying recognition in the financial statements of events and transactions that have occurred during the reporting period.
- Concealing, or not disclosing, facts that could affect the amounts recorded in the financial statements.
- Engaging in complex transactions that are structured to misrepresent the financial position or financial performance of the entity.
- Altering records and terms related to significant and unusual transactions.
To read on, head to Part 2 which includes in-depth information on controls and lines of defence.