Preventing fraud through better internal controls
Find out how to get the right checks in place so you can continue to do good charitable work
How big is the problem?
A report in 2014 from the Centre for Counter Fraud Studies[1] concluded that the charity sector was no more or less exposed to fraud loss than any other sector. They estimated that fraud loss is generally 5 per cent of income – so for the charity sector this amounts to £1.65bn a year. Immediately, we can see that preventing fraud is definitely something that needs to be considered.
Another survey from the National Fraud Authority (NFA) estimated charity fraud to be worth £1.15bn[2] and another put it at ‘just’ £147m[3]. Whatever the exact figure is there is no escaping the fact that significant sums of money that should be being put to charitable use, is being lost to fraud.
There are inherent risks in the charity model that make certain charities easy targets for a fraudster, and there have been numerous cases of bogus fundraisers collecting donations from the public on behalf of charities. Other types of fraud risk are as applicable to charities as other organisations. An example being the recent wave of frauds committed through bogus changes in supplier details.
The unpredictable nature of the income of many charities (donations, legacies) makes some of the standard fraud detective controls (trend analysis, profit margins) ineffective; and whilst it may prove beyond the control of an individual charity to fully manage these inherent risks, these risks need to be recognised and managed where possible.
What needs to be done to keep preventing fraud?
There is much a charity can and should do to strengthen its control environment to reduce fraud risk and to build an organisational culture that will deter potential fraudsters.
Some of these controls are standard routine financial controls that should be second nature to any finance manager. But direct controls are only as effective as the people who operate them. How effective is a chief executive’s authorisation of the monthly payroll amidst their other responsibilities and without any specialist understanding of the reports?
To effectively manage fraud risk requires a broad portfolio of controls. The controls need to recognise that in this technological age, frauds are as likely to be committed by people external to the charity through hacking and cybercrime. Fundraising charities hold personal details, including bank or credit card details for thousands of individual donors. How strong are your controls over this data?
The fraud risk triangle emphasises that in the majority of frauds, three conditions are in place: the fraudster can identify the opportunity; the fraudster has some motivation for committing fraud and the fraudster will have their own rationalisation as to how they justify the fraud.
Internal fraud risks require a balanced portfolio of controls, which include undertaking a fraud risk assessment so that you understand where your vulnerabilities are; strong financial controls over payment processes, payroll and expenses and accountability for budget holders, as well as scrutiny of management accounts, procurement procedures and whistle-blowing procedures.
These controls can reduce the opportunity for a potential fraudster to identify vulnerability in internal controls. However to reduce the motivation and rationalisation factors requires a range of softer controls too that arise out of an organisation’s culture, and the importance of organisational culture in fraud prevention should not be under-estimated.
How does organisational culture help prevent fraud?
A well-motivated, fairly remunerated staff team will reduce the likelihood of an employee developing a grudge that may lead to a fraud motive. Proper consideration of staff welfare and working hours will reduce the risk of an individual feeling exploited and use their perceived ‘exploitation’ as a rationalisation of why it’s acceptable to de-fraud a charity.
It is important that the leadership of the charity sets the right tone – trustees and senior staff must follow the rules when it comes to claiming expenses and getting purchases authorised. Awareness of why controls exist is also an important element in organisational culture. Put simply, a control is a response to a risk.
Some controls like bank reconciliations are efficient controls because they manage several risks in one activity. Another example of an efficient control is monitoring actual expenditure to budget. Managers may not realise that they are part of the charity’s control environment, but a regular comparison of actual expenditure to budget will help to identify errors and potential fraud.
An open and transparent working environment will also increase the impact of whistle-blowing both as a detective control (employees feeling a sense of loyalty to the organisation and so feel duty bound to report fraud and other wrong doing) and preventative control (the sense that your actions will be spotted and reported).
Charities want to make it as easy as possible for supporters to donate to them. They want to encourage volunteers to do cash collections. They want to encourage regular giving by providing bank details on-line. This is entirely understandable and fraud risks should not stand in their way of doing this. But in doing this, charities need to recognise their vulnerabilities and ensure that compensating controls are in place.