Insider fraud is a growing issue in the charity sector. The Charity Commission estimates that over a third of all frauds are internal, committed by staff, volunteers and trustees and it fears these figures are just the tip of the iceberg…
It’s not just charity finances that are affected by insider fraud; it can damage staff morale and retention, as well as the reputation of the charity. Charities therefore need to be vigilant of the warning signs and ensure they have good controls in place and the right culture to help deter, prevent and detect fraudulent activity.
The Charity Commission says 19 out of 20 fraud cases they have investigated happened because the charity lacked robust controls. Typically, excessive trust in staff, a lack of challenge and the absence of controls are the three main contributors to insider fraud.
So how can charities spot the red flags and warnings signs to protect themselves?
Hindsight is a wonderful thing and when it comes to internal fraud most charities can see how an incident happened. In most cases, the signs were there and were probably not particularly well-hidden. For instance, it isn’t too difficult to explain someone’s change in finances - they could have received some inheritance or a pay-out from an ex-spouse. Charities shouldn’t consider the signs in isolation, but rather as a suite of signs that may create a perfect storm.
Warnings signs and considerations
There are four key areas to focus on that could indicate fraud:
1. The first area is people. Changes in behaviour such as sudden expensive purchases, unusual work patterns, annual leave not being taken could all be warning signs that something isn’t right. People inside an organisation attempting fraud may also be particularly defensive over queries raised about their work. Charities need to consider how they would know if there was a change in someone’s personal circumstances and how managers, colleagues and volunteers should raise any concerns and with whom.
2. The second area is culture. The high turnover of staff and volunteers, dominant individuals and unplanned transactions that take place outside of the ‘normal’ controls could all be warning signs. Charities need to look at the internal culture of the organisation and assess if it’s conducive to deterring fraud or not. This includes how it manages, and is seen to manage, its “dominant” people.
For example, is there a hierarchy and blame culture that makes it difficult to challenge those in senior positions? If the answer is yes, it may discourage staff that spot warning signs to speak up. Charities will need to work hard to change this and develop a more open culture where people can feel comfortable reporting something they are worried about.
3. Charities also must look at their controls. If there is a lack of segregation of duties, audit trails and approval processes, this could provide the ideal environment and opportunity for fraud. Charities relying on trust, rather than robust controls, can find themselves vulnerable.
The control environment does not always change in line with the organisation. As organisations grow, the controls may not, or perhaps not at the same pace. Organisations need to review where their controls might be weak and assess regularly if the controls they do have in place adequately protect individuals and the charity. Some controls may be better outsourced which may help to deter fraudulent activity.
4. The final area is oversight. Warnings signs could be ineffective review of reconciliations, little or no due diligence over supplier changes and ineffective challenge. Charities should consider whether oversight activities are less thorough over work done by long serving staff and question how to make better use of system exception reports before challenging the extent that oversight activities in place would be able to detect fraud.
If someone sets out to commit fraud, they will find a way, but if charities invest time in understanding their vulnerabilities, they may be able to deter, prevent and detect fraud attempts in a more thorough and consistent way.
Policies, processes and controls must be kept up to date, adapted and reviewed regularly to ensure they are fit for purpose and reflect the changing environment that they operate in. More importantly, there must be internal assurance processes that capture whether the policies, processes and controls are actually adhered to.
Times have changed, and trust can no longer be relied upon. This can be a difficult change to an organisation’s culture, but it is important to enable a charity to be truly accountable to its beneficiaries, donors, the public and to protect the reputation of the organisation and its people.