High-profile fraud cases such as last year’s £500,000 vishing scam against the Highland Hospice have put Scottish charities on their guard, but this may not help them spot what the next fraud will look like.
Charities of all sizes are struggling to deal with the tide of attempts to defraud them. This is a serious and very prevalent risk issue for charity trustees.
Rather than look out for specific types of scam, it’s more important to have systems in place to protect against the unexpected. Fraud can take any number of forms – cybercrime, banking fraud, procurement fraud, grant fraud, data breaches and more.
It can also threaten the fundamental survival of a charity: it’s not just about the money taken, but the loss of future funding as well: donors will be wary of giving money to organisations that can’t look after it.
So every charity and every trustee has to take fraud risks seriously.
The problem for charities is that fraud attacks can come from all sides, not just outside the organisation. Research from the Charities Commission, based on England and Wales, found that a third of charity fraud involved staff, volunteers or trustees.
How, then, can charities protect themselves?
The first way is to deploy common sense and caution. OSCR’s Fraud and Cybercrime factsheet reminds charities to check bank statements, change passwords, and not give out information over the phone.
One banking vulnerability many charities need to patch is having systems based on business practices that are out of date. For example, the standard practice of requiring two signatories for cheques is insufficient if an individual staff member can authorise large payments online.
Charities must also look at their wider governance arrangements. In particular, they must anticipate the possibility of fraud by trustees (including office bearers) and staff, volunteers or other individuals who know how their processes work.
Trustees should implement a range of checks and balances including: risk assessment procedures around the charity’s structure and financial accountability; controls on access to electronic information; and systems for staff or volunteers to report anxieties around possible fraud. Written procedures and policies should be updated and reviewed by professional advisors.
Charities may also want tighten up their accounting or scrutiny arrangements. One Scottish charity only found out a staff member had embezzled £220,000 over a seven-year period when it brought in an outside firm to set up a pension scheme.
Reviewing governance systems around fraud prevention is uninviting when charities are hard-pressed for time, and more engaged with their mission and activity than administrative processes. But fraud prevention is essential for every charity’s financial and reputational health.
Having trustees with relevant financial and accounting skills can be useful here. They don’t have to be involved in the day-to-day financial minutiae, but will know how to ask the right questions and implement robust processes.
Secondly, trustee training and governance reviews (which we regularly undertake for a range of charity clients) can be helpful for shining the spotlight on all corners of the organisation, making it harder for fraudsters inside or outside to exploit weaknesses.
Fraud’s always going to evolve, and fraudsters will always be creative. So charities need to evolve their own practices too. The Tackling Charity Fraud Checklist, from the Fraud Advisory Panel, is a good starting-point.