Research and analysis

Focus on insider fraud: research report

Published 26 April 2018

Introduction

This report outlines findings from a Charity Commission study into how insider fraud is affecting charities.

Insider fraud is fraud committed by somebody within the charity such as a trustee, employee or volunteer. Examples of insider fraud include (but are not limited to) financial and accounting fraud, unauthorised payments to individuals, inflated expenses and the theft of information.

Insider fraud doesn’t just harm charity finances – it can also affect staff morale and retention, as well as damaging the reputation of a charity with its donors, beneficiaries and the public.

It’s a risk that all charities should be aware of and guard against. Trustees must manage their charity’s resources responsibly including avoiding exposing assets, beneficiaries or reputation to undue risk. They should put appropriate procedures and safeguards in place and take reasonable steps to ensure that these are followed.

Otherwise they risk making the charity vulnerable to fraud or theft, or other kinds of abuse, and being in breach of their essential trustee duties.

The charity sector has an annual income of nearly £76 billion. This an attractive financial target to both organized crime gangs and opportunistic fraudsters. To date there is no evidence to suggest that the charity sector is any more or less vulnerable to fraud than the private or public sectors. But, it has been argued that factors specific to charities could increase vulnerability to fraud, including insider (internal) fraud.

In 2016 the Charity Commission published its first ever high level analysis of a sample of frauds reported to us by charities as a serious incident. Although not intended to be representative of all frauds across the charity sector, the analysis noted that around one third of the frauds sampled were insider jobs.

Research purpose and approach

The aims of this new study have been to develop our knowledge and understanding of insider fraud in charities, specifically to better understand:

• the types of insider fraud occurring in charities

• the factors that make charities vulnerable

• current and emerging trends in the sector

The overarching purpose is to help charities become more resilient to insider fraud by highlighting good practice and improving our published guidance. The research involved two distinct phases.

In phase one, we reviewed a sample of insider frauds which charities had reported to us directly, or where information suggested the charity was at increased risk of insider fraud.

Phase two involved analysing responses to a ‘call for information’ to charities, sector organisations and professional advisors, which surveyed their experiences of insider fraud.

In tandem, we undertook a series of interviews with a number of charities, sector organisations and counter fraud professionals, in a bid to identify good practice across the sector.

Research findings

Phase 1 findings

In phase one of the study, we reviewed a sample of 20 charity cases that had either confirmed an insider fraud incident to the Commission, or where information suggested that the charity was at an increased risk. It was evident that in 19 of the 20 charity cases analysed, the absence of appropriate controls was the primary enabling factor – in either allowing the fraud to occur or in making the charity more vulnerable to fraud.

These findings were unexpected, given the results of the Commission’s 2016 review of a sample of reported fraud cases. In 2016 we had analysed a (non- representative) sample of both internal and external frauds reported to us as a serious incident.

We found that controls were often in place to prevent fraud or to facilitate early identification, but crucially, that those controls were not consistently applied. It was this non-application of existing controls that our 2016 review found to be the key enabling factor that allowed those frauds to occur.

The difference in findings between this study in 2018 and the earlier 2016 review may arise in part from the relatively limited (and random) samples chosen in both years. In addition, the 2016 cases included external as well as insider frauds. Our 2018 study focused only on insider fraud.

Taken in combination, the two studies strongly suggest that trustees should ensure that counter fraud controls are both in place and being consistently applied. Otherwise, charities are not adequately protected from harm.

Phase 2 findings

We received a total of 54 responses to the call for information. Although not a large enough sample to be representative, the responses provide an evidence base from which some meaningful inferences can be derived.

Responses were received from both small and large charities, with a third of respondents having an income of over £1million.

Who committed the insider fraud?

• 43% by an employee

• 33% by a trustee

• 10% by a volunteer

• 10% ’other’

(4% did not answer this question)

What factors contributed to the fraud occurring?

• 43% of respondents suggested the prime factor was excessive trust or responsibility placed on one individual

• 24% due to a lack of challenge or oversight

• 24% due to either absence of controls or existing controls poorly applied

• 5% confirmed it was due to a combination of more than one factor

(4% did not answer this question)

Impact on charities

Respondents highlighted consequences of insider fraud, which included:

• detrimental impact on beneficiaries through reduced service provision

• loss of funding/income

• an adverse effect on the charity’s reputation

• damage to team/organisational morale

• in one case, the charity had to close as a result

Action taken / reporting

• 62% of charities who suffered a fraud reported it to Action Fraud or the police

• 57% reported the fraud to the Charity Commission

• 19% of frauds reported to the authorities resulted in a prosecution

• 38% recovered part or all of the money/assets taken

• 81% undertook a review of existing controls following the fraud

• 76% of the frauds prompted media coverage

It is a concern that 38% of cases were not reported to Action Fraud and 43% were not reported to the Commission. Timely reporting, involving full and frank disclosure, information sharing and sector oversight are all vital tools in building a picture of insider fraud risk; new and emerging trends can then be identified and the wider charity sector alerted to prevalent threats.

Our review also found specific examples where weak or non-existent controls had enabled the fraud to occur, including:

• failure to reconcile transactions and bank statements on a regular basis

• poor segregation of duties/ unclear responsibility for financial controls

• only one signatory for bank transaction

• only one individual counting cash collections

Research conclusions

It is vital that charities take appropriate action that is proportionate to their activities, size and financial governance, in order to manage the risk of fraud. This report provides the Commission’s first evidential base designed to help charities understand insider fraud risks.

It is notable that the vast majority of insider frauds (nearly 70% of our sample) were enabled because of either excessive trust/responsibility placed on one individual, or lack of challenge and oversight. Fundamentally, these are cultural issues which require a change in mindset and behaviour within charities, and this may take time.

The first step in this process is to acknowledge that charities are no more or less susceptible to insider fraud than private or public sector organisations. Although the vast majority of trustees, employees and volunteers are honest and act with integrity, our research and supporting case studies reveal that without a strong counter fraud culture and consistently applied controls any charity can fall victim to insider fraud.

10 top tips for fraud prevention (infographic content)

1. Aim to develop a counter fraud culture
2. Implement financial controls that everyone signs up to
3. Conduct an annual review of fraud risk and internal controls
4. Consider having a dedicated fraud officer on the board
5. Encourage staff and volunteers to raise concerns
6. Promote fraud awareness and consider training
7. Conduct pre-employment screening and get reference checks
8. Guard against excessive trust and complacency
9. Do not be afraid to challenge if you suspect wrongdoing
10. Report suspected fraud to the Charity Commission and Action Fraud

Wider lessons

Good governance and effective culture

Strong financial controls and good governance go hand in hand. No single measure can guarantee good governance in charities, including fraud prevention, but by adopting good practice charities can publicly demonstrate their commitment to good governance and reduce the likelihood of becoming a victim of fraud.

Where there is a limited base of trustees, staff and volunteers and/ or low fraud awareness within a charity, it will be more vulnerable to fraud. A strong counter fraud culture is widely recognised as the vital overarching element of effective fraud risk management. This starts with the tone set at the top of the organisation and is important regardless of a charity’s size, type or income.

All individuals within charities should feel confident to provide appropriate challenge where they have concerns about fraud.

The right people

Charities should carry out appropriate employment checks proportionate to the level of fraud risk of individual posts. For example, the level of reference checks required may vary depending on the volume and value of financial transactions associated with the post.

Medium and larger charities may want to consider having a trustee with specific responsibility for counter fraud, ideally with an enhanced knowledge and understanding of counter fraud risks and good practice, which would provide enhanced Board level challenge for the organisation.

Larger charities and those with high numbers of financial transactions may want to consider the use of dedicated counter fraud resource as a proportionate response, where the level of fraud risk is significant.

Adopting suitable controls, policies and procedures

Trustees need to make sure they have adequate controls, policies and procedures in place to safeguard the charity’s assets and reputation. To be most effective, the financial controls should be tailored to the specific needs of the charity. But, having financial policies and procedures is only the starting point - awareness raising, appropriate training and consistent application of controls are also required.

For detailed advice, trustees can look at the Commission’s internal control checklist and charities - fraud and financial crime.

As good practice, trustees should commit to regular reviews of their internal controls, to ensure they remain fit for purpose and are being consistently applied.

Culture, behaviour and appropriate challenge

Aim to develop a counter fraud culture within the charity, so that trustees, staff and volunteers feel empowered to raise concerns about fraud. Where issues are uncovered, be prepared to act responsibly and take appropriate action. Ensure that frauds are reported promptly to the appropriate authorities (Action Fraud, Police and Charity Commission).

An effective counter-fraud culture will allow appropriate challenge and encourage a professional, inclusive environment, where concerns are taken seriously and not ignored. The need to challenge can come in many forms; from insisting that receipts be presented before staff expenses are paid, to insist that the treasurer provide full financial updates at regular committee meetings.

Segregation of duties

Where the number of trustees, staff and volunteers are limited (for instance in smaller charities), adequate segregation of duties and dedicated responsibility may be difficult. But, it’s good practice to ensure that no one individual has unsupervised control of a charity’s finances.

Trustees should have unrestricted access to financial information such as bank statements, invoices and receipts in order to hold treasurer’s to account.

Reporting serious incidents

It is essential that trustees understand their responsibilities for reporting serious incidents. Where a charity has identified a fraud (internal or external), a suitable and timely report should be made to the Commission, outlining what happened and the steps being taken to deal with the incident.

It is our regulatory role to ensure that trustees comply with their legal duties and that charities manage incidents responsibly, taking steps to limit immediate impact, strengthen controls and protect their charities for the future.

Serious incident reporting helps us to gauge the volume and impact of incidents within charities and to understand the risks facing the sector as a whole. This insight informs our approach as regulator and may lead us to issue timely advice, guidance or alerts to warn other charities of identified risks and how to manage them.

Whistleblowing

Charity employees can use our whistleblowing procedure to raise a concern at any time about an incident that happened in the past, is happening now, or are concerned may happen in the future.

Case studies

The anonymised examples are a sample of the cases of insider fraud that we have seen. Themes include poor or non-application of financial controls, low fraud awareness and expertise, and excessive trust or lack of challenge within charities.