It’s an unfortunate truth, but fraud happens. And, worryingly, it’s still on the increase. Yet, less cases are brought to any kind of criminal, civil, disciplinary and/or regulatory sanction. Given the risk versus reward mentality of fraudsters, this is great news for them.
What should charities be doing to protect themselves from such a perfect storm?
As much as possible. Ignoring the risks or hoping that fraudsters will simply go somewhere else will, without doubt, expose you and your charity to significant financial and reputational damage.
An often-heard response from charities when this is suggested is “we don’t have the funds”. But it’s not all about huge investment; as much can be done on a shoestring budget by using existing resources and staff. It is all about strategy. Without a proactive anti-fraud strategy, one will simply end up reacting to fraud by fire-fighting and constantly be pulled in all directions.
Therefore, a cradle-to-grave approach should be designed that is realistic and workable within given financial and resource limitations. Aiming for the stars and landing on the moon will only lead to frustration and disengagement, so it’s important your strategy is realistic and broken down into achievable outcomes. Keeping it simple in this way cannot be underestimated. Make it too complex and it’ll very quickly be filed in the too-hard dustbin.
Take it step by step
Undertake a step-by-step strategic fraud risk assessment of your charity’s capability to tackle fraud, by considering what sort of anti-fraud culture you have – and what sort of culture you want.
- Is it one where the tone from the top is ethical and clear in its ambition to reduce fraud risk to an absolute minimum, and where instances of fraud are investigated and appropriate sanctions are pursued?
- Is there positive encouragement to raise concerns (whistleblowing), and a culture in which it is supported through policies and procedures, with protections in place?
- Do you have the right amount of support to be able to drive the anti-fraud initiative forwards?
- If not, what can be done with existing resources; are you able to identify ‘champions’ across the organisation who, with support, can push the anti-fraud message through team meetings etc?
- Are there opportunities to work with other charities or third-party providers with expertise that can assist you?
- Can you learn from what others are doing? Horizon-scanning for emerging threats is an easy way to share and ascertain best practice. The Charity Commission and Fraud Advisory Panel’s Charity Fraud Awareness Week and Moore Stephens’ Charities Against Fraud Awards are good examples of where to look for ideas that you can adopt in your charity.
Understand your risks
Having established capacity and capability, it’s time to understand the risks you face. These will come in all shapes and sizes, so break down your operations. There’ll be clear areas such as finance, procurement, HR and IT. However, there will be others, specific to your organisation (eg fleet, care homes and patients, fundraising and shops).
You need to understand not only what the risks are, but where they are coming from. They can come from staff (worryingly, 71 per cent of most fraud is perpetrated by employees), volunteers, trustees, suppliers, contractors, beneficiaries and any other third parties. Conducting a fraud risk workshop with a mixture of grades (especially frontline operational staff) is a good way to capture the risk. The workshop will help identify the risks, the controls and, importantly, who owns the controls. Put these into your risk register, which will ideally be enterprise risk management software – but if not, Excel is a start.
Test your controls
Now that you know what the risks are, what the controls should be and who owns them, it is time to test them. Don’t just do this by simply asking the owner what happens – test it and walk it through. It’s important to remember that controls come in several guises, including:
- prevention eg segregation of duties, ensuring there is proper supporting documentation, robust checking, authorisation takes place, and there is good physical control over assets
- detection eg undertaking reconciliation checks (purchase order to goods-received note to invoice), ensuring services and goods were supplied as per the contract, analysing variances, outliers, anomalies etc., undertaking inventories and stock checks, datamatching and conducting audits.
Remember that trust is not a control. The vital role that whistleblowing plays should be revisited. How easy is it to raise a concern (internally and externally) and how seriously do you take allegations? If you make it hard, people won’t bother. Some charities ignore anonymous allegations; if that is you, stop – you’re missing out on a huge amount of intelligence and opportunity. If you can get the whistleblower’s details, that can be very helpful. If not, you should still take matters seriously.
The best eyes and ears you have are your staff, so it’s vital they are trained to spot the indicators of fraud, know how to escalate their suspicions and then how to respond if their suspicion is confirmed. Reducing the risk of fraud is everyone’s responsibility. Don’t make it the preserve of a single person or team as you’ll miss the opportunity – train everyone.
Embed anti-fraud in all policies
As important as controls are, policies also play a vital role in reducing the risk and opportunity of fraud. Having an anti-fraud policy in place is a good start, however, it should map and dovetail with other relevant policies, such as gifts and hospitality, expenses, whistleblowing and conflicts of interests, among others.
Satisfied that there are adequate prevention mechanisms and policies in place, attention should now turn to deterring fraud. Deterrence needs to be addressed in order to tip the risk versus reward equation back to high risk. Increasing the chances of catching fraudsters and ensuring appropriate sanctions are pursued will help, and may be all that’s needed, to drive the fraudster elsewhere and displace the problem (apologies to neighbours!). It’s vital, therefore, that you ensure your anti-fraud stance is clearly promoted – fraudsters will riskassess you by reviewing your website to see what you have in place and how seriously you are taking the threat. If you’ve had success in obtaining sanctions, promote it.
If you’ve not managed to prevent and deter the fraudster, hopefully you’ll detect the fraud quickly. It’s then time to investigate. With different burdens of proof required for sanctions (beyond all reasonable doubt for criminal and on the balance of probability for civil, disciplinary and regulatory), it’s sensible to give thought as to the types of sanctions you’d ideally want to pursue.
Of course, you may not know the extent of the offence and loss, so it’s best to gather evidence to the standard required for criminal prosecution, as this gives you the best range of options. If you pursue more than one sanction, it’s important you run these in parallel and in a way that does not compromise any future actions you want to take. It’s rare for the defence to argue that their client is innocent, it‘s more likely that your investigation will be scrutinised and challenged in the attempt to discredit you and make evidence inadmissible. It’s therefore imperative that your investigation is carried out lawfully and proportionately.
Take action now – be proactive, not reactive
Of course, there are so many other things that can be done to reduce fraud, including pre-employment screening, enhanced due diligence, data-matching and mining, and the use of artificial intelligence. But to keep it simple, the first things to check now are:
- When did you last undertake a fraud and/or bribery risk assessment (strategic and/or operational)? Threats change – who would have thought five years ago that cyber-crime would be such a threat?
- Do you have the expertise to undertake investigations (criminal, civil, disciplinary and regulatory) or do you require training or external support?
- Is your anti-fraud/bribery strategy properly designed, up-to-date, and working?
- How often are your key policies and controls evaluated for relevance and effectiveness?
- How effective are your whistleblowing arrangements? Would your staff know what to look for and how to respond to suspicions of fraud?
Ultimately, the most important thing is to do something. Be proactive, not reactive in your approach to tackling fraud and remember that although “prevention is better than cure” is an old medical-based adage, it is exactly what is required to truly tackle fraud.
This article first appeared in the Charity Finance Yearbook 2019. At the time of writing, John Baker was counter fraud director at Moore Stephens LLP, which has since merged with BDO. Civil Society Media would like to thank them for their support.