Mark Spofforth reminds charities to take fraud seriously.
Charities are the preserve of philanthropists, of volunteers, of people who want to give, people who want to improve the lot of those less fortunate than themselves. So why should trustees even think about fraud? Surely fraud is something that happens in those unpleasantly commercial organisations exploiting others for profit?
Not so. And specialists in the area, including the Charity Commission, are spreading the message about the risks to your charity. For example a new website, www.charitiesagainstfraud.org.uk, points towards the resources that can help trustees and executives to protect their charity against fraud. Estimates of the amounts lost to fraudsters vary, but it is possible that up to £2bn annually is lost in this way, including the successful diversion of donations to scam charities that don’t exist.
The reason for this is simple – the rise in the use of technology. In society generally, police priorities are moving away from bobbies on the beat, a physical manifestation of the protection afforded by the state, to increasing numbers of officers targeting cybercrime and fraud perpetrated with the aid of technology.
Trustees have to take this seriously, and remember that they have reporting duties which outweigh any concerns about outside observers losing trust in the organisation if it becomes known that a fraud has occurred. Fraud is criminal and a matter for the police, and trustees must also report incidents to the Charity Commission under the serious incident regime if they result in, or risk, significant loss. This gives the Commission the chance to assist with reducing the risks to the sector and ensure that we’re all taking the relevant steps to minimise the risk of fraud. Last year over 2,200 incidents were reported, so you won’t be alone.
There is a tendency on some boards to regard internal financial controls as the preserve of the finance team and the auditors, a black art requiring specific training. And to a certain extent this is not entirely misguided, but every trustee must ask the difficult questions and satisfy themselves that the experts have done everything necessary to protect the assets. The role of the auditors is not to find fraud, although it might be detected during the course of the audit. It is not the main focus of the audit process. Every trustee needs to make sure that the controls exist and that they are consistently applied.
The Commission reports that most frauds are the result of weak governance and poor controls, often coupled with excessive trust in key individuals – a result of a culture in which we all think “it could never happen here”. But it does. Over a third of the frauds originate within the charity itself, with trustees, staff and volunteers all being culpable.
Technology or psychology?
Most cybercrime could equally be termed psychological rather than technological. Staff are tricked into giving away information that can be used to access funds, and the speed of business in the current age means that the fraudster has been and gone before the staff member begins to worry about small inconsistencies in conversations. So passwords are given away, or guessed because they are too simple and never changed. Access to the IT system is handed over to a telephone caller purporting to be from a software house or to have been instructed by the chief executive. Bank details are handed over to aid a cash receipt, but then used to make cash payments. It is useful to run training sessions to explore how these frauds are perpetrated, and how everyone in the organisation can protect themselves from being duped; preparation and practice can make everyone suitably wary of strange calls.
Charities that solicit donations from the public can help reinforce trust in themselves and in the sector by distributing the Fraud Advisory Panel leaflet on giving safely, a collection of simple but effective ways of identifying scams.
Nobody is expected to know all the ways that the fraudsters might attack, but as with any risk to the charity, there are some simple steps that need to be taken. The risk needs to be identified and taken seriously, analysed to see what might happen and predict the consequences. The list of risks need to be prioritised and a decision made as to whether to mitigate the risk or control it, and then effective testing of the controls that have been put in place (in real time, with real examples) undertaken to test the resilience of the organisation. And finally, work out who is going to be responsible for monitoring and reviewing the risk going forward – who in the team needs to keep thinking about the issue?
Fraud can be a frightening risk, but there is no need to behave like a rabbit in the headlights. Most fraudsters go for the pink underbelly of easy targets, the charities that don’t begin to think about the issue. Turn your charity into one of the fraudsters’ “too difficult to try” pile.
Mark Spofforth is a partner at Kreston Reeves
Civil Society Media wishes to thank Kreston Reeves for its support with this article