Charity trustees have an overarching responsibility to protect the resources of their charity and not put its assets at risk, with the prevention and detection of fraud being a central component of this. In our October 2021 blog Fraud and cybercrime in the charity sector we looked at the common types of fraud, and outlined some of the simple preventative steps that can help protect the charity.
What if the worst does happen though? Where a charity does suffer a fraud incident, the response and reaction of trustees and management to this can make a huge difference – both in terms of the overall impact on the organisation, and in demonstrating that the trustees have acted in accordance with their charity trustee responsibilities.
The Charity Commission and Fraud Advisory Panel have prepared some useful guidance on this - see Protect your charity from fraud and cyber crime - GOV.UK (www.gov.uk), noting the key steps on the initial discovery or suspicion of a fraud:
- If in doubt, take action and report it
- Act quickly, to minimise harm done and maximise legal options
- Take steps to preserve evidence
- Report to the relevant authorities, particularly Action Fraud and the Charity Commission
In addition, we would always suggest that steps are taken as soon as possible to establish the full extent of the fraud and any potential ongoing exposure – such as identifying any continuing IT vulnerabilities, or whether there may be a GDPR risk connected with the breach, with professional assistance engaged where necessary.
Trustees must be take ownership of the situation, and be kept informed of relevant developments and actions. Where appropriate, it may be useful to establish a working group of trustees from the Finance & Audit Committee, or similar, and senior management of the charity to co-ordinate actions and manage communication with the rest of the trustee board.
Following the initial response, it is of course essential that the charity drills down into exactly what has gone wrong and why, and how it needs to respond to avoid any repeat – be it in terms of systems/controls, training or the charity’s culture and ways of working. It is important that such a review makes an honest and comprehensive assessment of any shortcomings which may have enabled the fraud to take place, and set out clear and specific actions to be taken to address these.
Trustees and management will also need to consider carefully how they communicate the news of the fraud incident; both within the organisation and externally to appropriate stakeholders, and potentially to the media.
With all of these points, it is of course better to have though through the issues and identified potential responses in advance, rather than in the midst of a highly stressful incident. As such, it is recommended that charities develop their own ‘fraud response plan’. Hopefully, this may never need to be used, but by having been through the process of disaster planning, the organisation will be much better placed to respond in a controlled and pro-active way.
The next step
Prevention is better than cure, and we can help assess whether your charity’s systems and controls provide a robust defence against fraud, and make practical recommendations for improvements.
Please contact your local UHY charity specialist to discuss how you can address and manage your charity’s risk from fraud.