By Kate Sayer and Jonathan Orchard, Partners, Sayer Vincent
Many people still think that financial controls and audit activity is all about preventing and detecting fraud – well not quite. It’s actually about complete and accurate data so you can base your decisions on reliable information. Fraud is just one of the reasons why your records may be false. But how should trustees get some assurance about the management of fraud risks to their organisation?
An important first step is to talk about fraud. Many shy away from such discussions but in doing so, they stumble at the first hurdle. Boards need to realise that it is their duty to communicate clearly that fraud is theft and it will not be tolerated. They need to have a clear policy that includes details of what fraud means, how the charity expects to detect fraud, how it will respond to fraud as well as a policy to support whistle blowing. The most common method of detecting fraud is by others in the organisation flagging up areas of concern either to their line manager or the board, so it is important that employees have clear procedures and guidance and understand to whom they can talk and the reassurance that it will be confidential.
Here are the top ten things to consider in terms of preventing fraud in your charity:
- There is a lot of fraud in charities so don’t imagine your charity is immune – it isn’t. You can reduce the risk of fraud, but you cannot eliminate it.
- Most fraud is not very sophisticated – it is often simple, and can be prevented simply using good old-fashioned controls.
- The thing about controls is that you have to implement them. For example, getting blank cheques signed is bypassing the control – you are asking for fraud.
- A common fraud in charities is internal and perpetrated by finance staff – false purchase invoices slipped into the system and paid as part of the batch.
- Note that this fraud relies on a lack of attention by the manager authorising the purchase invoice for payment. This is a good example of a control (authorising) being ineffective because it is not implemented as it was designed. If implemented properly, this should be a strong control.
- Don’t publish details of your normal bank current account on your website – if you want donors to pay funds direct into your account, use a different account such as a deposit account as that can only receive funds, not be used to pay expenditure.
- Don’t publish reports or accounts with scanned signatures – this can make forgery easy
- Do check if you receive notice from a supplier that their bank details have changed – there is a well-known scam used to divert funds to the thief’s bank account. Just phone them to check that the change is genuine.
- Establish the principle that it is OK to report any suspicious activity. Staff and volunteers need to feel confident that this will be handled appropriately and that they are doing the right thing. It requires a considerable effort by individuals to overcome the sense that they are telling tales.
- The most important control your organisation can introduce is a strong culture that fraud is not acceptable. A strong sense of values and commitment to the cause will create the right culture and help to embed the sense that it is OK to report any suspicious activity. Charities can play a strong hand here – stealing from the charity means that the money is not going to a good cause.
It is also important thought that the leadership of the charity sets the right tone – trustees and senior staff must follow the rules when it comes to claiming expenses and getting purchases authorised. If the leaders of the charity go round the system, why shouldn’t others too?