June 2018Scottish Charity Regulator

Fraud:Reducing the risks in your charity

Fraud: Reducing the risks in your charity

CONTENTS

Pg 3. WHAT IS FRAUD?

Pg 5. CHARITY TRUSTEE DUTIES AND RENUMERATION

a) Developing an anti-fraud strategy

b)Internalfinancialcontrols

Pg 12. HOW OSCR LOOKS AT FRAUD

Pg 14. WHERE CAN I GET ADVICE?

Fraud: Reducing the risks in your charity What is fraud?

Fraud is a crime in which some kind of deception is used for personal gain. Fraud comes in many forms and anyone can be a target,including charities.

Fraudcanbeinternal,committedbysomeonewithinyourcharity,orexternal,committedbysomeonenotdirectlyinvolvedinthecharity.

Ifyouthinkyourcharityhasbeenavictimoffraudyou shouldreportittoPoliceScotlandbyphoning101 immediately.YoualsoneedtotellOSCRbysendingusa notifiable event.

Internal fraud

Thevastmajorityofpeopleinvolvedincharitiesarehonest;however,likeothersectorscharitiesarenotimmunefrominternalorinsiderfraud.Examplesofinternalfraudcaninclude:

• Settinguppaymentstoafakesupplier • Makingpaymentstoanemployeewhodoesnotexist • Makingoverpaymentsforservicesorproducts • Unauthorisedaccessbeinggainedtothecharity’sbankaccount leadingtoinappropriatepaymentsbeingmade.

ResearchfromaCharityCommissionforEnglandandWalesstudyFocus on insider fraud: research reportconcludesthatmuchoftheinsiderfraudlookedatinthestudyweremadepossiblebytheorganisationalculturewithinthecharity,thatputtoomuchtrustandresponsibilityinoneindividual,orallowedalackofchallengeandoversight.

Havinganorganisationalculturewhichvaluesopennessandtransparencycanhelptoovercomethesevulnerabilities.

Page3 OSCRIFraud:Reducingtheriskstoyourcharity

Over relianceon one person

Lack of trusteeengagement in

finance andcontrols

Vulnerability

Absence ofinternalcontrols

Havinganorganisationalculturewhichvaluesopennessandtransparencycanhelptoovercomethesevulnerabilities.

Page4 OSCRIFraud:Reducingtheriskstoyourcharity

Asacharitytrustee,youhaveadutyundertheCharities and Trustee Investment(Scotland) Act 2005 (the 2005 Act),toactintheinterestoftheircharityandinparticulartoactwiththecareanddiligencethatitisreasonabletoexpectofapersonwhoismanagingtheaffairsofanotherperson.

Thismeansthatyoumustactwithahigherlevelofcarethanyoudowithyourownfinancesandaffairs.Youmustmakesurethatyouprotectthecharity’sresourcesandthatyoudonotputtheassetsofthecharityatrisk.

Charitytrusteesshould:

• understandwheretheircharityisvulnerabletofraud • effectivelymanageidentifiedrisks.

Charitytrusteesareresponsibleforthepreventionanddetectionoffraud,eveniftheydelegatesomeoftheirexecutiveresponsibilitiestoindividualtrustees,seniorstafforvolunteers.Charitytrusteeshaveacollectiveresponsibilityforfinancialrecordsandcontrolsoverfinancialprocedurestoprotecttheassetsofthecharity.Ultimately,charitytrusteesareaccountableforallthathappenswithintheircharity.

Theriskfromfinancialfraudandabusecanneverbecompletelyruledout.Howeverproperandadequateinternalfinancialcontrolsplayanimportantpartinmanagingtheserisks.

Charitytrusteesshould:

• identifytheriskstheyfacefromfraud,assessinganyparticular vulnerability • documenttheserisksandanychangesovertime • manageand/ormitigatetheserisks • considermitigationmeasuresaspartoftheroutinegovernance ofthecharity • payattentiontofundraising,asapointofengagementwiththe public.

Charity trustee duties and fraud prevention

Page5 OSCRIFraud:Reducingtheriskstoyourcharity

Wherecharitiesgivelargeamountsofmoneytopartnersandbeneficiariesthentheymustmakesurethatadequatemonitoringtakesplace–thismeansverifyingthatcharityfundsorpropertyreachestheproperdestinationsandareusedhowthecharityintended.

a) Developing an Anti-Fraud Policy

AnAnti-Fraudpolicyshouldbeappropriateandproportionatetothesizeandscaleofyourcharity.Theactivitiesyourcharitycarriesoutwillplayapartinshapingyourpolicy.

Thepolicyshouldencouragereportingofanythingsuspicious,andgetallstafftocommunicateanyirregulareventsorincidents.Thepolicyshouldbestraightforwardandeasytounderstandsostaff,volunteersandcharitytrusteesfeelconfidentaboutwhatandwhentoreportandwhatactiontotake.

Remember:charitytrusteesaretheguardiansofdonated fundsandpublicmoney.

ThingstothinkaboutwhendevelopinganAnti-fraudpolicy:

•Introduction–whodoesthispolicyapplyto,whatkindofaction willbetakeniffraudisidentifiedorsuspected. •Definitionoffraud–includeanyparticularareasofvulnerability identifiedintheriskassessment/managementprocess. •Responsibilities–specifythedifferentstrategicandoperational responsibilitiesundertakenbycharitytrustees,chiefofficer, seniormanagers,staffandvolunteersinpreventingand respondingtofraud. •Otherrelevantpolicies–recruitment(employeereferences) whistleblowing,financialproceduresmanual,riskregister.

Page6 OSCRIFraud:Reducingtheriskstoyourcharity

•Detectionandinvestigation–isthereadesignatedstaffmember orcharitytrusteewithresponsibilityforinvestigatingfraud?Ifthis personfallsundersuspicion,whowillinvestigate? •Disciplinaryprocedures–arethereanycircumstanceswhich mayleadtodisciplinaryaction?Forexample,failingtofollow internalcontrolsandfinancialprocedures,makingmalicious accusations. •Reporting–towhomwillcasesofsuspectedoractualfraudbe referred?Inwhatcircumstances? •Reviewandrefresh–makesureyourpolicyisreviewedand updatedasnecessary,andappropriatetrainingisprovided.

Charitytrusteesneedtotaketheriskoffraudseriouslyandacttoprotectthecharity,includingitsassetsandreputation.

b) Internal financial controls

Onewayoffollowingthedutytoactwithcareanddiligenceistomakesurethatthereareproperfinancialcontrolsinplace.

What do we mean by financial controls?

Goodfinancialcontrolsaretoolsformakingsurethatyoumanagethecharityeffectivelyandmeetyourlegaldutytoactwithcareanddiligence.

Financialcontrolsarethesystemsyouhaveinplacetomakesurethatyouprotecttheassetsofthecharity.

Reviewing accounts

Amajorpartoffinancialcontrolistoreviewtheaccounts.Ausefulwaytodothisistocomparetheamountsspentonindividualexpensecategoriessincetheywerelastreviewedwithwhatwasexpectedtobespentinthatperiod.Ideally,abudgetwillbepreparedandapprovedbythecharity

Page7 OSCRIFraud:Reducingtheriskstoyourcharity

trusteeboardbeforethebeginningofthefinancialyear.Thentheactualresultscanbecomparedtotheexpectedorbudgetedresults,makingiteasiertoinvestigateanydifferencesor‘variances’.

Inasmallorganisationitmaybeappropriatejusttocomparetheexpenditureofoneperiodwiththatofthecorrespondingpreviousperiod,forexamplethemonthbefore.

Controls offer protection

Itisimportanttorememberthatbeingacharitytrusteeisasignificantresponsibility.Wherecontrolsarecorrectlysetupandusedtheywillbothprotecttheassetsofthecharityandyouasacharitytrustee.

What areas do you need to consider?

• Collective responsibility

Allofthecharitytrusteeshaveresponsibilityforthefinancialrecords,notjustthetreasurer.Ascharitytrustees,itisimportantthatyouallhaveabasicunderstandingofthefinancesofyourcharityandcanquicklyidentifyifthereareanyproblems.Thefinancialinformationshouldbediscussedatmeetingstomakesurethateveryoneknowsthecharity’sfinancialsituation.Forexample,financeshouldbearecurringitemontheagendaofeveryboardmeeting.Itisgoodpracticethatsomeoneotherthanthetreasureralsohasanunderstandingofhowthecharity’sfinancialrecordsarekept.

• Finance Committee

Someorganisationsfindithelpfultosetupafinancesub-committeeofcharitytrusteesandadvisorswithfinancialoraccountingknowledge.Theyhaveadditionalmeetingstospendextratimeondetailedfinancematters,likebudgetpreparation,andthenreportbacktothecharitytrusteeboard.Havingacommitteedoesnotabsolvetheothercharitytrusteesoftheircollectiveresponsibilitybutcanbehelpfulinclarifyingmattersthatare

Page8 OSCRIFraud:Reducingtheriskstoyourcharity

submittedtothefullcharitytrusteeboard.

• Separation of duties

Wherepossibleyoushouldseparateouttheadministrativetaskssothatnooneindividualhassoleresponsibilityforthefinancialtransactionsofyourcharity.Wecallthis‘separationofduties’.

Forexample,whenyourcharitymakesapurchasethesameindividual(whetheritisacharity trustee,employeeorvolunteer)shouldnotberesponsibleforarrangingthepurchase,authorisingthepaymentandmakingthepayment.Inverysmallcharities,itcanbedifficulttohaveaseparationofduties.Youshouldmakesurethatchecksareregularlycarriedoutonfinancialrecordsandtransactionstocompensateforthis.

• Written procedures

Yourfinancialproceduresshouldbedocumented.Thiswillhelpwherecharitytrusteeschangeregularlyandifsomethingunexpectedhappenssuchasatreasurerbeingtakenill.

Youshouldreviewyourproceduresannuallytomakesuretheyarestillfitforpurpose,beingfollowedcorrectlyandunderstood.

• Controls over cash

Wherepossibleitisbesttoavoidtheuseofcash,asitishardertomaintainatrailofcashandmucheasierfortheftorfraudtohappenandgoundetected.Youshouldencouragedonationstobemadebybanktransfer,chequesoronlineandyoushouldmakepaymentsinthiswaywhereverpossible.

Ifyoudoreceivecashdonations,twopeopleshouldcounttheseandthenmakesurethemoneyisbankedassoonaspossible.Youshouldissuereceiptsforthedonationsandnotmakeanypaymentsoutofthiscashbeforetakingittothebank.

Page9 OSCRIFraud:Reducingtheriskstoyourcharity

Youshouldkeeppettycashtoaminimum.Receiptsshouldberequiredforallitemsofpettycash.Accesstothepettycashboxshouldberestrictedanditshouldbeheldinasecureplace.Acashbookshouldbekepttorecordwhatgoesintothepettycashandwhatispaidoutofit.Eachtimethereismoneyaddedtoortakenoutofthepettycashitshouldberecordedinthecashbookwithsupportingdocumentation,suchasacopyofadonationreceiptorexpenditurereceipt.Theamountinthepettycashboxshouldberegularlycountedandcomparedtothebalanceinthecashbooktomakesurethatallmoneyisproperlyrecordedandaccountedfor.

• Banking

Bankingisanimportantpartofthefinancialcontrols.Charitytrusteeshavealegaldutytoprotectthecharity’sassetsandsoshouldmakeuseofregulatedbankingserviceswheretheseareavailabletomakesurethecharity’sfundsaresecure.Whenconsideringyourcharity’sbankingarrangements,youshouldchooseanorganisationthatisabletoofferformalbankingfacilitiesandthefullrangeofservicesthatyouneed.IntheUKthoseorganisationsthatareabletoofferformalbankingfacilitiesareusuallyauthorisedandregulatedbytheFinancialConductAuthority(FCA).

Bankswillaskfordetailsofallsignatoriesandusuallyallthecharitytrustees,sobepreparedtohavethisinformationavailable.Youshouldbeawareofthetermsandconditionsofyourbankingarrangementsandad-visethebankimmediatelyofanychangesthatmayaffecttheseforexample,achangeofsignatories.

Bankstatementsshouldbeagreedtotheaccountingrecordsregularly,atleastmonthly,andsomeoneotherthanthepersonwhoisotherwiseinvolvedinthebankingprocessshouldreviewthesereconciliations.

Bankreconciliationsshouldbereviewedattrusteemeetings.Insmallercharities,bankstatementsandtransactionsmaybecheckedattrusteemeetings.

Page10 OSCRIFraud:Reducingtheriskstoyourcharity

• Cheque payments

Chequesshouldhaveaminimumoftwosignatoriestomakesurethatitisnotjustonepersonwhocanmakepayments.Youshouldhavesystemsinplacetocheckinvoicesandauthorisepaymentsbeforetheyaremade.

Youshouldnotsignchequeswheretheamountandtherecipientarenotalreadyfilledin(blankcheques).Youshouldensurethatthedetailsonthechequestubmatchthecorrespondingcheque.Ifthisisnotdonethechequesmaynotbeaccountedforcorrectlyandmightresultinlostorstolenmoney.

• Automated payments

AutomatedpaymentsfromthebankaccountsuchasDirectDebitsandStandingOrdersshouldbesubjecttothesamecontrolsasotherpayments.Areviewofallsuchautomatedexpenditureshouldtakeplaceregularly.

• Internet banking and online payments

Itcanbemoredifficulttodeveloptightfinancialcontrolsforbanktransfersasaccessmayberestrictedtoasinglelogin.Youshouldconsidermakingarulethattwopeoplehavetobepresentwhenlargetransactionsarebeingprocessed.

Somebanksallowcharitiestoprovidemorethanonepersontoauthorisepayments(dualauthority).Youshouldaskyourcharity’sbankfordetailsoftheirdualauthorityoptionssothatyoucanconsiderwhatisrightforyourcharity.

• Credit Cards

Creditcardsareoftenrequiredtopayfortravelorpurchaseitemsonline.Thereshouldbeinternalcontrolprocedurestocoverthisincludingcreditlimits,authorisationproceduresandreviewandauthorisationofcreditcardstatements.

Page11 OSCRIFraud:Reducingtheriskstoyourcharity

OSCR’sroleistomakesurethatcharitiescomplywiththerequirementsofScottishcharitylawandthatcharitytrusteesruncharitiesinlinewiththeirlegalduties.

Wherefraudoccursinacharity,ourfocusistomakesurethatcharitytrusteesactappropriatelyandinaccordancewiththeircharitytrusteeduties.Welooktoseewhetheryouhavesuitablecontrolsoverfinancialprocedurestoprotecttheassetsofthecharityandwhatstepsthecharitytrusteeshavetakensincetheeventhappenedtoensureitdoesn’trecur.

Ifyoufailtocomplywiththecharitytrusteedutiesthenthisismisconductandwedohavepowerstotakeaction,whereappropriate.Ourresponsewillbeproportionatedependingonthesituation.Whereacharitytrusteehasactedreasonablyandhonestlyitisunlikelytobetreatedasmisconduct.

Youcanfindoutmoreaboutwhatwecanandcannotdoandwhattoexpectifwehaveaconcernaboutyourcharityonour website.

OSCRisnotresponsibleforinvestigatingorprosecutingcriminalactivity.WherewehaveconcernsregardingcriminalconductwecananddoreportthemtotheCrownOfficeandProcuratorFiscalService.

OurInquiry Policysetsouthowweassessconcernsaboutcharities.ThepolicysetsoutthemattersthatOSCRcanandcannotdealwithandexplainshowweassessconcernstodecideifwetakethemforward.

Whereafraudisidentifiedwithinacharity,thecharitytrusteesshouldfirstofallreportthistothepolice.

Reporting instances of fraud to OSCR

OurNotifiableEventsregimerequirescharitytrusteestoreporteventsthatarelikelytohaveasignificantimpactontheircharity.Whentherehasbeen afraud,charitytrusteesshouldconsiderourGuidance on Notifiable Events tounderstandwhetherthisshouldalsobereportedtous.

How OSCR looks at fraud

Page12 OSCRIFraud:Reducingtheriskstoyourcharity

Reportingdemonstratesthatcharitytrusteeshaveidentifiedaseriousincidentwithintheircharityandthattheyaretakingappropriateactiontodealwithitandprotectthecharityfromfurtherriskorabuse.

Whenreporting,trusteesshouldprovideasmuchinformationaspossibleaboutthefactsofthecaseandtheactionsbeingtaken.Thiswillallowustoassessiftheappropriateactionsarebeingtakeninanygivencase.

Thereisnolegalrequirementtoreportanotifiableevent.However,itisanimportantwayforcharitytrusteestoreassureusthattheyareontopoftheissuestheyarefacing.Ultimately,wemaybecomeconcernediftherehasbeenamatterthathasnotbeenreportedtous;especiallyif it goes on to haveanegativeimpactontheindividualcharityorthewidercharitysector.Wheresomethingsignificanthashappenedwithinacharityandthishasnotbeenreportedtousinfull,wewilltakethisintoaccountifwehavetoopenaninquiry.Ultimately,thiscouldbeconsideredtobemisconduct.

ReportinganotifiableeventhelpsOSCRtoassessthevolumeandimpactoffraudincidentswithincharitiesandtounderstandtherisksfacingthesectorasawhole.Thishelpsustodecidehowwecanbettersupportcharitiesthroughourguidanceandassesswhereweneedtofocusouractivities.

Ifyou’renotsurewhethertoreportsomethingasanotifiableeventpleasecontact us.

How OSCR looks at fraud

Page13 OSCRIFraud:Reducingtheriskstoyourcharity

• TheAction Fraud websitecontainsmoredetailedinformation onfraudandhowtoprotectyourself. • TheCharity Finance Group has guidance and checklists designedforsmallcharitieslookingtopreventfraud. • TheCharityCommissionforEnglandandWaleshasguidance called ‘Protect your charity from fraud’ and Internal financial controls for charities (CC8)whichcontainspracticaladvice andlinkstoothersourcesofhelp. • OSCR’sfactsheet:Cybercrime - what is it and what you need to know.

Where can I get more information?

Page14 OSCRIFraud:Reducingtheriskstoyourcharity

Where can I get more information? Notes

Page15 OSCRIFraud:Reducingtheriskstoyourcharity

The Scottish Charity Regulator (OSCR)2nd FloorQuadrant House9 Riverside DriveDundeeDD14NY

T 01382 220446

E info@oscr.org.uk

@ScotCharityReg

ScottishCharityRegulator

www.oscr.org.uk