It would appear that no charity is safe as headlines over recent weeks and months illustrate the wide range of organisations affected.
As well as the risk of external fraud such as the cybercrime incident in last year’s £500,000 vishing scam against Highland Hospice, charities have also been hit by sizeable financial losses due to insider fraud. The Scottish Wildlife Trust, South Glasgow Childcare Partnership Forum, Douglas Park Nursery and Greater Maryhill Foodbank were all defrauded in recent months by unscrupulous employees and volunteers.
Such high-profile cases may put Scottish charities on their guard, but may not help them spot what the next fraud will look like.
Rather than look out for specific types of scam, it’s more important to have systems in place to protect against the unexpected. Fraud can take any number of forms – cybercrime, banking fraud, procurement fraud, grant fraud, data breaches and more.
It can also threaten the fundamental survival of a charity: it’s not just about the money taken, but the loss of future funding as well. Donors will be wary of giving money to organisations that can’t look after it.
So every charity and every trustee has to take fraud risks seriously.
As these recent cases highlight, the problem for charities is that fraud attacks can come from all sides, not just outside the organisation. Research from the Charities Commission, based on England and Wales, found that a third of charity fraud involved staff, volunteers or trustees.
How, then, can charities protect themselves?
Charities can deploy common sense and caution. OSCR’s Fraud and Cybercrime factsheet reminds charities to check bank statements, change passwords, and not give out information over the phone.
One area of vulnerability that many charities need to patch is in relation to banking processes and having systems based on business practices that are out of date. For example, the standard practice of requiring two signatories for cheques is insufficient if an individual staff member can authorise large payments online. Interestingly, placing too much responsibility on one individual appears to be a leading cause of the majority of insider fraud cases.
Charities must also look at their wider governance arrangements and ensure that risk management is high on the agenda a board level. In particular, they must anticipate the possibility of fraud by trustees (including office bearers) and staff, volunteers or other individuals who know how their processes work.
Trustees should implement a range of checks and balances including: risk assessment procedures around the charity’s structure and financial accountability; controls on access to electronic information; and systems for staff or volunteers to report anxieties around possible fraud. Written procedures and policies should be updated and reviewed by professional advisors.
Charities may also want tighten up their accounting or scrutiny arrangements. One Scottish charity only found out a staff member had embezzled £220,000 over a seven-year period when it brought in an outside firm to set up a pension scheme.
Reviewing governance systems around fraud prevention is often not top of the priority list when charities are hard-pressed for time, and more engaged with their mission and activity than administrative processes. But fraud prevention is essential for every charity’s financial and reputational health.
Having trustees with relevant financial and accounting skills is important here. They don’t have to be involved in the day-to-day financial minutiae, but will know how to ask the right questions and implement robust processes.
Trustee training and governance reviews can also be helpful for shining the spotlight on all corners of the organisation, making it harder for fraudsters inside or outside to exploit weaknesses.
Fraud’s always going to evolve, and fraudsters will always be creative. So charities need to evolve their own practices too. A good starting-point, in addition to seeking professional advice, is to review information such as the Tackling Charity Fraud Checklist, from the Fraud Advisory Panel and the previously referred to factsheet from the Scottish Charity Regulator, OSCR.
Alastair Keatinge is partner and head of charities and social enterprises at Lindsays