'Not doing the basics to protect themselves'. That was the verdict on charities from the largest ever survey into fraud and cybercrime in the sector.
The findings are sobering. They cite charity fraud potentially running into billions of pounds each year, with the 'strong ethos of trust' leaving charities particularly vulnerable. And whilst 85% of charities think they are doing everything they can to prevent fraud, nearly half don't have good practice protection in place.
Cybercrime is another growth area, and there are fears that the higher age profile of charity trustees can coincide with lower levels of cyber awareness. The survey recommends that charities clarify responsibility for managing the risk of cybercrime, ensuring that it's a governance priority for every Board.
Insider fraud is a major concern. Of the charities experiencing fraud in the last two years, more than half knew who the criminal was. Fraudsters came from the ranks of paid staff (29%), volunteers (18%), beneficiaries (13%) and trustees (10%). But there are 'red flags' to look out for. These can be things like someone seeming unwilling to share duties, being reluctant to delegate or to take holiday – or perhaps seeming unusually close to suppliers.
Most frauds are small-scale and time-limited. They range from cash theft; cheque or banking fraud; to so-called 'Mandate' or 'Chief Executive' (CEO) fraud. This is the most common type of charity fraud, often carried out by hoax email. With CEO fraud, the fraudster impersonates an organisation that the charity deals with, or senior staff within the charity itself.
Appropriate financial controls and audit procedures are likely to detect many of these issues. The Charity Commission has a clear call to action, recommending that charities:
- acknowledge the risk of fraud and potential for serious reputational damage
- enhance fraud awareness for staff and volunteers
- agree and implement financial controls, ensure they operate properly, and review them regularly. Controls can be as simple as having at least two signatories to bank accounts and cheques; carrying out regular bank reconciliations; and making sure no one single person has oversight or control of financial arrangements
- put in place procedures to report fraud (whistleblowing)
- show commitment to best practice by adopting 'Tackling Charity Fraud: Eight Guiding Principles' bit.ly/2FwSnfA
- publish details of any fraud on the charity's website, and also report it to relevant external agencies
- ensure pre-employment checks are carried out before recruiting staff and volunteers, especially those in financial or senior roles
- carry out due diligence checks on staff, volunteers, donors and beneficiaries.