The Charity Commission recently published a report outlining how insider fraud is affecting the sector and what you can do to minimise the risk to your organisation. As with all operational matters, the board of trustees are ultimately responsible for ensuring that their charity is well protected from fraud.
Insider fraud definition
The Commission defines insider fraud as any fraud perpetrated where a trustee, staff member or volunteer knowingly commits a fraud against the charity. This can be through financial/accounting means, unauthorised payments, inflating expenses or theft of information/data. It is clear that fraud is not all about money, but can relate to information and data, it is also important to factor in the effects on organisational reputation and staff morale when frauds are discovered.
Many trustees and staff working in the sector assume that because they work in a charity they are protected from fraud, ‘who would steal from a charity?‘. However there is no evidence to suggest that fraud in the sector is any less prevalent than in other sectors, and in fact some evidence suggests that the attitudes in the charity sector help encourage it, as trust in people is higher which allows fraud, especially insider fraud, to go unnoticed. Changing this culture and mindset is not an easy task for charity management.
In most cases, insider fraud is enabled because of either a lack of, or a failure in, appropriate controls. It is worth noting here that there is a distinction between not having appropriate controls and having appropriate procedures and policies in place, but where these are not consistently applied and enforced, but ultimately in both scenarios you leave yourself vulnerable. The main secondary factor contributing to fraud is excessive trust being placed in one individual.
When fraud is uncovered, charities should have policies in place to ensure these are reported to Action Fraud and/or the police and the Charity Commission.
How to reduce the risk of insider fraud
There are a number of ways for trustees and management teams in charities to reduce the risk of fraud and implement procedures and controls to prevent it happening. We would suggest the following as a minimum:
- Ensure bank reconciliations are carried out for all bank and petty cash accounts at least on a monthly basis.
- As far as it is possible, allow for segregation of duties on both reconciliations, payment processes and recording of receipts.
- Enforce dual signatories on cheque and BACS payments.
- Where cash is collected, ensure this is counted by two people, documented and banked in full as soon as practically possible.
The Charity Commission has detailed 10 steps to promote fraud prevention:
- Aim to develop a counter fraud culture
- Implement financial controls that everyone signs up to
- Conduct an annual review of fraud risk and internal controls
- Consider appointing a dedicated fraud officer on the board
- Encourage staff and volunteers to raise concerns
- Promote fraud awareness and consider training
- Conduct pre-employment checks and get reference checks
- Guard against excessive trust and complacency
- Don’t be afraid to challenge if you suspect wrongdoing
- Report suspect fraud to the Charity Commission and Action Fraud
What about other types of fraud?
As well as insider fraud there is still a growing risk from external fraud. We have reports from a number of clients where attempted frauds have occurred, from attempts to change bank details for suppliers (to divert payments), to impersonation by email frauds and various other attempts.
On the whole, these types of frauds are committed by social engineering. The fraudsters know that controls are in place, and attempt to manipulate human weaknesses to make changes or otherwise bend controls in order to carry out fraud. Below are some types to be aware of:
Where you receive emails typically impersonating a normal contact, your bank or a supplier. The emails attempt to extract data from you, or otherwise to get you to open attachments or click links which will then infect your computer with malware/ransomware or key-loggers.
Where contact is made by telephone and as above they try to extract information from you, typically requesting money is transferred (‘to protect it from fraudsters’)
Where a fraudster impersonates your boss and attempts to pressure you into making an ’emergency’ bank transfer or to reveal some other sensitive information. Typically email addresses are used which are similar to your normal emails (e.g. CEO@menzi3s.co.uk) so they can be difficult to spot.
This typically involves someone hacking into your email system and then monitoring your usual activity patterns. After a time, they then impersonate a normal supplier or contact and attempt to either submit a bogus invoice or request payment details to be changed. These emails can appear very genuine as they can often reference recent events or conversations you may have had with the genuine people.
How to avoid fraud scams
In all cases, treat any unusual requests with suspicion. From the reports we have received from clients, many only failed because the individuals concerned noted differences in the nuances of emails received, or due to frequent contact with the ‘CEO’ were just able to double check via conversation. Never provide pin numbers, passwords or authorisation codes by email or phone to anyone.
Check requests for bank detail changes by calling your normal contact back (on a number you already have) to double check. It is not uncommon at the moment for bank details to be changing with the de-risking activity of the major banks resulting in many sort codes being changed. Fraudsters are aware of this and are using the opportunity.
Ensure you have policies and procedures in place for any change to standing data and for payments to be made, do not deviate from these policies and where possible make it impossible for a sole individual to deviate by instilling system controlled segregation of duties.
Where you suspect a fraud, do not hesitate to inform your boss, the board, the police and the bank. The quicker you can act, the more likely you are to minimise the impact.
Please do get in touch with your usual Menzies contact should you have concerns about any of the above and want to discuss further. We would be pleased to advise on best practice and how policies and procedures can be strengthened in your organisation. We would be happy to assist with any testing of systems, and can look at a range of work from small spot tests to full reviews of procedures/policies.