The charity and general press continue to carry stories of good causes being undermined by dishonest employees, volunteers and outsiders, and the estimates of the amount of money lost by the sector remain eye-wateringly high.
Charities are, of course, run to a large extent on trust and the vast majority are small organisations, run by volunteers and not having the resources to defend themselves against attack. They may also be seen as likely to run risks for some extra income, and to disregard warning signs that might have alerted other organisations to the risk of being a victim of financial crime. They may be accustomed to being offered unexpected donations from unusual sources, and may also be used to handling a flow of cash that fluctuates with no clear pattern, making it easier for a dishonest person to siphon off funds and harder for trustees to spot irregularities. Many charities are involved in sending funds overseas, sometimes to parts of the world where there is little conventional financial infrastructure, where the extensive use of cash or alternative money transfer systems and reliance on local intermediaries may put the flow of funds at risk.
Developments in technology have also opened up new opportunities for fraud, such as phishing emails generated in vast quantities to harvest details of bank accounts. Technology has also nurtured some of the motives for fraud, as witnessed by the 2015 conviction of a purchase ledger clerk at a Cambridge college who had falsified accounting records to feed an addiction to online gambling that saw her place bets in excess of £6 million. And then there is the type of fraud where money is obtained in the name of a charitable cause but never makes it to a charity, typically where someone claims to be raising funds for a charity but actually pockets any money raised from the public. This sort of fraud may involve no direct loss to a charity but is immensely damaging to the reputation of individual charities and to the trust the public place in the sector generally.
The impact goes wider than the immediate loss, and even wider than the reputational damage to the charity in question and to the wider sector: it includes the cost of investigating the fraud, dealing with the aftermath and the damage to morale (which is often built on trust) within charities.
Some of the risks come from within an organisation:
• false invoices and purchase orders prepared by staff;
• inflated expense claims or timesheets;
• cash being skimmed from the till of a charity shop;
• the interception of post - witness the case some years back of an employee who opened an account in the name of N. Speed and proceeded to modify and bank cheques made payable to the NSPCC;
• contracts being awarded to a supplier who charges over the odds and provides a backhander to the employee who awards the contract.
Other come from outside, such as:
• mandate fraud, where someone contacts a charity purporting to be a supplier notifying a change of bank account details for paying invoices;
• taking charity letterheads and using them to apply for funding;
• applications for grants from bogus organisations; and
• “419” and advance fee frauds where a charity is approached for help with releasing funds that are purportedly frozen in some mystery offshore bank account.
So how can charities protect themselves?
Internal financial controls including:
• adequate record keeping,
• segregation and rotation of duties relating to the authorisation of payments,
• monitoring cash with frequent bank reconciliations so that anomalies are more easily spotted,
• setting thresholds for a second person to approve expenditure or to add a new supplier to the charity’s systems,
• checking periodically that payroll matches staffing records,
• asking new suppliers to declare any connection with the charity,
• not letting any dormant bank accounts sit around, and
• stamping out the practice of having a supply of pre-signed blank cheques.
Keeping track of the latest fraud methods.
• If you give out bank details for donations, make it an account that does not allow payments, but only permits transfers to another account held by the charity.
• Encourage staff and volunteers to carry out due diligence on any unexpected approach – if a deal looks too good to be true…
Take IT security and hygiene seriously:
• don’t follow links in unfamiliar emails;
• use your usual method for logging on to online banking rather than a link in an email;
• stay alert to the possibility of spoofed email addresses and URLs;
• check with your usual contact at an organisation before disclosing information to someone purporting to be from that organisation.
• Make sure your trustees and staff know what to do if they suspect fraud, including notifying senior staff, police and the Charity Commission.
• Vet new staff and volunteers, particularly if they will be handling charity funds, taking references and requesting declarations regarding any unspent relevant convictions.
• Make sure your trustees understand financial reports and accounts, that they have time to review them to spot anything untoward and to raise questions of concern – this is made easier if trustees are given papers far enough in advance of having to make decisions about grants to enable them to look critically at requests.
Paul Ridout, Partner, IBB Solicitors
« Back to all blog posts