fraud: reducing the risks in your charity - oscr...fraud: reducing the risks in your charity what is...
TRANSCRIPT
June 2018Scottish Charity Regulator
Fraud:Reducing the risks in your charity
Fraud: Reducing the risks in your charity
CONTENTS
Pg 3. WHAT IS FRAUD?
Pg 5. CHARITY TRUSTEE DUTIES AND RENUMERATION
a) Developing an anti-fraud strategy
b)Internalfinancialcontrols
Pg 12. HOW OSCR LOOKS AT FRAUD
Pg 14. WHERE CAN I GET ADVICE?
Fraud: Reducing the risks in your charity What is fraud?
Fraud is a crime in which some kind of deception is used for personal gain. Fraud comes in many forms and anyone can be a target,including charities.
Fraudcanbeinternal,committedbysomeonewithinyourcharity,orexternal,committedbysomeonenotdirectlyinvolvedinthecharity.
Ifyouthinkyourcharityhasbeenavictimoffraudyou shouldreportittoPoliceScotlandbyphoning101 immediately.YoualsoneedtotellOSCRbysendingusa notifiable event.
Internal fraud
Thevastmajorityofpeopleinvolvedincharitiesarehonest;however,likeothersectorscharitiesarenotimmunefrominternalorinsiderfraud.Examplesofinternalfraudcaninclude:
• Settinguppaymentstoafakesupplier • Makingpaymentstoanemployeewhodoesnotexist • Makingoverpaymentsforservicesorproducts • Unauthorisedaccessbeinggainedtothecharity’sbankaccount leadingtoinappropriatepaymentsbeingmade.
ResearchfromaCharityCommissionforEnglandandWalesstudyFocus on insider fraud: research reportconcludesthatmuchoftheinsiderfraudlookedatinthestudyweremadepossiblebytheorganisationalculturewithinthecharity,thatputtoomuchtrustandresponsibilityinoneindividual,orallowedalackofchallengeandoversight.
Havinganorganisationalculturewhichvaluesopennessandtransparencycanhelptoovercomethesevulnerabilities.
Page3 OSCRIFraud:Reducingtheriskstoyourcharity
Over relianceon one person
Lack of trusteeengagement in
finance andcontrols
Vulnerability
Absence ofinternalcontrols
Havinganorganisationalculturewhichvaluesopennessandtransparencycanhelptoovercomethesevulnerabilities.
Page4 OSCRIFraud:Reducingtheriskstoyourcharity
Asacharitytrustee,youhaveadutyundertheCharities and Trustee Investment(Scotland) Act 2005 (the 2005 Act),toactintheinterestoftheircharityandinparticulartoactwiththecareanddiligencethatitisreasonabletoexpectofapersonwhoismanagingtheaffairsofanotherperson.
Thismeansthatyoumustactwithahigherlevelofcarethanyoudowithyourownfinancesandaffairs.Youmustmakesurethatyouprotectthecharity’sresourcesandthatyoudonotputtheassetsofthecharityatrisk.
Charitytrusteesshould:
• understandwheretheircharityisvulnerabletofraud • effectivelymanageidentifiedrisks.
Charitytrusteesareresponsibleforthepreventionanddetectionoffraud,eveniftheydelegatesomeoftheirexecutiveresponsibilitiestoindividualtrustees,seniorstafforvolunteers.Charitytrusteeshaveacollectiveresponsibilityforfinancialrecordsandcontrolsoverfinancialprocedurestoprotecttheassetsofthecharity.Ultimately,charitytrusteesareaccountableforallthathappenswithintheircharity.
Theriskfromfinancialfraudandabusecanneverbecompletelyruledout.Howeverproperandadequateinternalfinancialcontrolsplayanimportantpartinmanagingtheserisks.
Charitytrusteesshould:
• identifytheriskstheyfacefromfraud,assessinganyparticular vulnerability • documenttheserisksandanychangesovertime • manageand/ormitigatetheserisks • considermitigationmeasuresaspartoftheroutinegovernance ofthecharity • payattentiontofundraising,asapointofengagementwiththe public.
Charity trustee duties and fraud prevention
Page5 OSCRIFraud:Reducingtheriskstoyourcharity
Wherecharitiesgivelargeamountsofmoneytopartnersandbeneficiariesthentheymustmakesurethatadequatemonitoringtakesplace–thismeansverifyingthatcharityfundsorpropertyreachestheproperdestinationsandareusedhowthecharityintended.
a) Developing an Anti-Fraud Policy
AnAnti-Fraudpolicyshouldbeappropriateandproportionatetothesizeandscaleofyourcharity.Theactivitiesyourcharitycarriesoutwillplayapartinshapingyourpolicy.
Thepolicyshouldencouragereportingofanythingsuspicious,andgetallstafftocommunicateanyirregulareventsorincidents.Thepolicyshouldbestraightforwardandeasytounderstandsostaff,volunteersandcharitytrusteesfeelconfidentaboutwhatandwhentoreportandwhatactiontotake.
Remember:charitytrusteesaretheguardiansofdonated fundsandpublicmoney.
ThingstothinkaboutwhendevelopinganAnti-fraudpolicy:
•Introduction–whodoesthispolicyapplyto,whatkindofaction willbetakeniffraudisidentifiedorsuspected. •Definitionoffraud–includeanyparticularareasofvulnerability identifiedintheriskassessment/managementprocess. •Responsibilities–specifythedifferentstrategicandoperational responsibilitiesundertakenbycharitytrustees,chiefofficer, seniormanagers,staffandvolunteersinpreventingand respondingtofraud. •Otherrelevantpolicies–recruitment(employeereferences) whistleblowing,financialproceduresmanual,riskregister.
Page6 OSCRIFraud:Reducingtheriskstoyourcharity
•Detectionandinvestigation–isthereadesignatedstaffmember orcharitytrusteewithresponsibilityforinvestigatingfraud?Ifthis personfallsundersuspicion,whowillinvestigate? •Disciplinaryprocedures–arethereanycircumstanceswhich mayleadtodisciplinaryaction?Forexample,failingtofollow internalcontrolsandfinancialprocedures,makingmalicious accusations. •Reporting–towhomwillcasesofsuspectedoractualfraudbe referred?Inwhatcircumstances? •Reviewandrefresh–makesureyourpolicyisreviewedand updatedasnecessary,andappropriatetrainingisprovided.
Charitytrusteesneedtotaketheriskoffraudseriouslyandacttoprotectthecharity,includingitsassetsandreputation.
b) Internal financial controls
Onewayoffollowingthedutytoactwithcareanddiligenceistomakesurethatthereareproperfinancialcontrolsinplace.
What do we mean by financial controls?
Goodfinancialcontrolsaretoolsformakingsurethatyoumanagethecharityeffectivelyandmeetyourlegaldutytoactwithcareanddiligence.
Financialcontrolsarethesystemsyouhaveinplacetomakesurethatyouprotecttheassetsofthecharity.
Reviewing accounts
Amajorpartoffinancialcontrolistoreviewtheaccounts.Ausefulwaytodothisistocomparetheamountsspentonindividualexpensecategoriessincetheywerelastreviewedwithwhatwasexpectedtobespentinthatperiod.Ideally,abudgetwillbepreparedandapprovedbythecharity
Page7 OSCRIFraud:Reducingtheriskstoyourcharity
trusteeboardbeforethebeginningofthefinancialyear.Thentheactualresultscanbecomparedtotheexpectedorbudgetedresults,makingiteasiertoinvestigateanydifferencesor‘variances’.
Inasmallorganisationitmaybeappropriatejusttocomparetheexpenditureofoneperiodwiththatofthecorrespondingpreviousperiod,forexamplethemonthbefore.
Controls offer protection
Itisimportanttorememberthatbeingacharitytrusteeisasignificantresponsibility.Wherecontrolsarecorrectlysetupandusedtheywillbothprotecttheassetsofthecharityandyouasacharitytrustee.
What areas do you need to consider?
• Collective responsibility
Allofthecharitytrusteeshaveresponsibilityforthefinancialrecords,notjustthetreasurer.Ascharitytrustees,itisimportantthatyouallhaveabasicunderstandingofthefinancesofyourcharityandcanquicklyidentifyifthereareanyproblems.Thefinancialinformationshouldbediscussedatmeetingstomakesurethateveryoneknowsthecharity’sfinancialsituation.Forexample,financeshouldbearecurringitemontheagendaofeveryboardmeeting.Itisgoodpracticethatsomeoneotherthanthetreasureralsohasanunderstandingofhowthecharity’sfinancialrecordsarekept.
• Finance Committee
Someorganisationsfindithelpfultosetupafinancesub-committeeofcharitytrusteesandadvisorswithfinancialoraccountingknowledge.Theyhaveadditionalmeetingstospendextratimeondetailedfinancematters,likebudgetpreparation,andthenreportbacktothecharitytrusteeboard.Havingacommitteedoesnotabsolvetheothercharitytrusteesoftheircollectiveresponsibilitybutcanbehelpfulinclarifyingmattersthatare
Page8 OSCRIFraud:Reducingtheriskstoyourcharity
submittedtothefullcharitytrusteeboard.
• Separation of duties
Wherepossibleyoushouldseparateouttheadministrativetaskssothatnooneindividualhassoleresponsibilityforthefinancialtransactionsofyourcharity.Wecallthis‘separationofduties’.
Forexample,whenyourcharitymakesapurchasethesameindividual(whetheritisacharity trustee,employeeorvolunteer)shouldnotberesponsibleforarrangingthepurchase,authorisingthepaymentandmakingthepayment.Inverysmallcharities,itcanbedifficulttohaveaseparationofduties.Youshouldmakesurethatchecksareregularlycarriedoutonfinancialrecordsandtransactionstocompensateforthis.
• Written procedures
Yourfinancialproceduresshouldbedocumented.Thiswillhelpwherecharitytrusteeschangeregularlyandifsomethingunexpectedhappenssuchasatreasurerbeingtakenill.
Youshouldreviewyourproceduresannuallytomakesuretheyarestillfitforpurpose,beingfollowedcorrectlyandunderstood.
• Controls over cash
Wherepossibleitisbesttoavoidtheuseofcash,asitishardertomaintainatrailofcashandmucheasierfortheftorfraudtohappenandgoundetected.Youshouldencouragedonationstobemadebybanktransfer,chequesoronlineandyoushouldmakepaymentsinthiswaywhereverpossible.
Ifyoudoreceivecashdonations,twopeopleshouldcounttheseandthenmakesurethemoneyisbankedassoonaspossible.Youshouldissuereceiptsforthedonationsandnotmakeanypaymentsoutofthiscashbeforetakingittothebank.
Page9 OSCRIFraud:Reducingtheriskstoyourcharity
Youshouldkeeppettycashtoaminimum.Receiptsshouldberequiredforallitemsofpettycash.Accesstothepettycashboxshouldberestrictedanditshouldbeheldinasecureplace.Acashbookshouldbekepttorecordwhatgoesintothepettycashandwhatispaidoutofit.Eachtimethereismoneyaddedtoortakenoutofthepettycashitshouldberecordedinthecashbookwithsupportingdocumentation,suchasacopyofadonationreceiptorexpenditurereceipt.Theamountinthepettycashboxshouldberegularlycountedandcomparedtothebalanceinthecashbooktomakesurethatallmoneyisproperlyrecordedandaccountedfor.
• Banking
Bankingisanimportantpartofthefinancialcontrols.Charitytrusteeshavealegaldutytoprotectthecharity’sassetsandsoshouldmakeuseofregulatedbankingserviceswheretheseareavailabletomakesurethecharity’sfundsaresecure.Whenconsideringyourcharity’sbankingarrangements,youshouldchooseanorganisationthatisabletoofferformalbankingfacilitiesandthefullrangeofservicesthatyouneed.IntheUKthoseorganisationsthatareabletoofferformalbankingfacilitiesareusuallyauthorisedandregulatedbytheFinancialConductAuthority(FCA).
Bankswillaskfordetailsofallsignatoriesandusuallyallthecharitytrustees,sobepreparedtohavethisinformationavailable.Youshouldbeawareofthetermsandconditionsofyourbankingarrangementsandad-visethebankimmediatelyofanychangesthatmayaffecttheseforexample,achangeofsignatories.
Bankstatementsshouldbeagreedtotheaccountingrecordsregularly,atleastmonthly,andsomeoneotherthanthepersonwhoisotherwiseinvolvedinthebankingprocessshouldreviewthesereconciliations.
Bankreconciliationsshouldbereviewedattrusteemeetings.Insmallercharities,bankstatementsandtransactionsmaybecheckedattrusteemeetings.
Page10 OSCRIFraud:Reducingtheriskstoyourcharity
• Cheque payments
Chequesshouldhaveaminimumoftwosignatoriestomakesurethatitisnotjustonepersonwhocanmakepayments.Youshouldhavesystemsinplacetocheckinvoicesandauthorisepaymentsbeforetheyaremade.
Youshouldnotsignchequeswheretheamountandtherecipientarenotalreadyfilledin(blankcheques).Youshouldensurethatthedetailsonthechequestubmatchthecorrespondingcheque.Ifthisisnotdonethechequesmaynotbeaccountedforcorrectlyandmightresultinlostorstolenmoney.
• Automated payments
AutomatedpaymentsfromthebankaccountsuchasDirectDebitsandStandingOrdersshouldbesubjecttothesamecontrolsasotherpayments.Areviewofallsuchautomatedexpenditureshouldtakeplaceregularly.
• Internet banking and online payments
Itcanbemoredifficulttodeveloptightfinancialcontrolsforbanktransfersasaccessmayberestrictedtoasinglelogin.Youshouldconsidermakingarulethattwopeoplehavetobepresentwhenlargetransactionsarebeingprocessed.
Somebanksallowcharitiestoprovidemorethanonepersontoauthorisepayments(dualauthority).Youshouldaskyourcharity’sbankfordetailsoftheirdualauthorityoptionssothatyoucanconsiderwhatisrightforyourcharity.
• Credit Cards
Creditcardsareoftenrequiredtopayfortravelorpurchaseitemsonline.Thereshouldbeinternalcontrolprocedurestocoverthisincludingcreditlimits,authorisationproceduresandreviewandauthorisationofcreditcardstatements.
Page11 OSCRIFraud:Reducingtheriskstoyourcharity
OSCR’sroleistomakesurethatcharitiescomplywiththerequirementsofScottishcharitylawandthatcharitytrusteesruncharitiesinlinewiththeirlegalduties.
Wherefraudoccursinacharity,ourfocusistomakesurethatcharitytrusteesactappropriatelyandinaccordancewiththeircharitytrusteeduties.Welooktoseewhetheryouhavesuitablecontrolsoverfinancialprocedurestoprotecttheassetsofthecharityandwhatstepsthecharitytrusteeshavetakensincetheeventhappenedtoensureitdoesn’trecur.
Ifyoufailtocomplywiththecharitytrusteedutiesthenthisismisconductandwedohavepowerstotakeaction,whereappropriate.Ourresponsewillbeproportionatedependingonthesituation.Whereacharitytrusteehasactedreasonablyandhonestlyitisunlikelytobetreatedasmisconduct.
Youcanfindoutmoreaboutwhatwecanandcannotdoandwhattoexpectifwehaveaconcernaboutyourcharityonour website.
OSCRisnotresponsibleforinvestigatingorprosecutingcriminalactivity.WherewehaveconcernsregardingcriminalconductwecananddoreportthemtotheCrownOfficeandProcuratorFiscalService.
OurInquiry Policysetsouthowweassessconcernsaboutcharities.ThepolicysetsoutthemattersthatOSCRcanandcannotdealwithandexplainshowweassessconcernstodecideifwetakethemforward.
Whereafraudisidentifiedwithinacharity,thecharitytrusteesshouldfirstofallreportthistothepolice.
Reporting instances of fraud to OSCR
OurNotifiableEventsregimerequirescharitytrusteestoreporteventsthatarelikelytohaveasignificantimpactontheircharity.Whentherehasbeen afraud,charitytrusteesshouldconsiderourGuidance on Notifiable Events tounderstandwhetherthisshouldalsobereportedtous.
How OSCR looks at fraud
Page12 OSCRIFraud:Reducingtheriskstoyourcharity
Reportingdemonstratesthatcharitytrusteeshaveidentifiedaseriousincidentwithintheircharityandthattheyaretakingappropriateactiontodealwithitandprotectthecharityfromfurtherriskorabuse.
Whenreporting,trusteesshouldprovideasmuchinformationaspossibleaboutthefactsofthecaseandtheactionsbeingtaken.Thiswillallowustoassessiftheappropriateactionsarebeingtakeninanygivencase.
Thereisnolegalrequirementtoreportanotifiableevent.However,itisanimportantwayforcharitytrusteestoreassureusthattheyareontopoftheissuestheyarefacing.Ultimately,wemaybecomeconcernediftherehasbeenamatterthathasnotbeenreportedtous;especiallyif it goes on to haveanegativeimpactontheindividualcharityorthewidercharitysector.Wheresomethingsignificanthashappenedwithinacharityandthishasnotbeenreportedtousinfull,wewilltakethisintoaccountifwehavetoopenaninquiry.Ultimately,thiscouldbeconsideredtobemisconduct.
ReportinganotifiableeventhelpsOSCRtoassessthevolumeandimpactoffraudincidentswithincharitiesandtounderstandtherisksfacingthesectorasawhole.Thishelpsustodecidehowwecanbettersupportcharitiesthroughourguidanceandassesswhereweneedtofocusouractivities.
Ifyou’renotsurewhethertoreportsomethingasanotifiableeventpleasecontact us.
How OSCR looks at fraud
Page13 OSCRIFraud:Reducingtheriskstoyourcharity
• TheAction Fraud websitecontainsmoredetailedinformation onfraudandhowtoprotectyourself. • TheCharity Finance Group has guidance and checklists designedforsmallcharitieslookingtopreventfraud. • TheCharityCommissionforEnglandandWaleshasguidance called ‘Protect your charity from fraud’ and Internal financial controls for charities (CC8)whichcontainspracticaladvice andlinkstoothersourcesofhelp. • OSCR’sfactsheet:Cybercrime - what is it and what you need to know.
Where can I get more information?
Page14 OSCRIFraud:Reducingtheriskstoyourcharity
Where can I get more information? Notes
Page15 OSCRIFraud:Reducingtheriskstoyourcharity
The Scottish Charity Regulator (OSCR)2nd FloorQuadrant House9 Riverside DriveDundeeDD14NY
T 01382 220446
@ScotCharityReg
ScottishCharityRegulator
www.oscr.org.uk