This section of the Governance Toolkit covers issues of financial abuse - what charities need to know, how they can mitigate risks and the ways to manage problems that may arise.
Read the guide and then check your understanding by taking the assessment available at the bottom of this page. You do not need to submit this assessment to the ACNC - it is optional and designed to help you measure your understanding of the topic and identify areas for training or improvement.
What is financial abuse?
Financial abuse is the misuse of a charity’s resources, whether they are physical assets, funds or stock. This can take a range of forms, including dishonest use, theft, fraud, bribery and corruption, or even money laundering and terrorist financing.
Financial abuse often involves misuse of:
- funds and cash
- credit cards
- assets, consumables, inventory or stock
- financial and other statements.
Financial abuse can come from inside a charity – perhaps with employees, volunteers or consultants – or from outside a charity – perhaps through partners, vendors, suppliers or the public.
Sometimes financial abuse is comes from a collusion between people inside and outside a charity.
Risks and consequences
Financial abuse can occur in a range of ways. Some common examples of financial abuse include:
- fraudulent financial statements, fake invoices or purchase orders
- payroll theft or fraud, including entitlements
- misuse of charity resources for private benefit
- legitimate charities being used to raise funds for fake causes or beneficiaries
- bribery and corruption, extortion
- terrorist financing, diverting funds to unauthorised people and breaching international sanctions.
People involved in charities should be aware of the risks of financial abuse. Some characteristics that may present risks include:
- a lack of oversight and scrutiny of financial processes
- financial decisions being limited to few people
- a lack of transparency with use of funds
- incomplete records or records that are difficult to find or follow
- insufficient knowledge of how the charity finances work.
Incidents of financial abuse can be complex. Financial abuse can initially appear as a simple and innocent issue (for example, an error in a statement or a failure to follow a procedure), but it is important to be open to the possibility of wrongdoing. Being aware may allow you to step in early and prevent financial abuse from happening.
If financial abuse occurs, it can have a wide range of consequences for a charity, including:
- damage to reputation
- failure to deliver services to beneficiaries
- low morale and productivity
- inability to attract staff and volunteers
- loss of access to grants and donors
- loss of charity registration.
The consequences of financial abuse can be severe for charities, so it is vital to take the time to consider how your charity prevents financial abuse and how it may respond if it occurs. Your charity can reduce the likelihood of financial abuse occurring with a thorough approach to managing its risks.
All charities registered with the ACNC must continue to be not for profit and pursue charitable purposes. They must also keep financial records, and report information annually – including financial information. It is important that your charity does all it can to prevent financial abuse so it can continue to meet these obligations.
Most charities must also comply with the ACNC’s Governance Standards and, for charities operating overseas, the External Conduct Standards. Many aspects of these obligations help to protect charities from financial abuse, and some contain specific requirements for financial management. For more, see our guidance on the Governance Standards and the External Conduct Standards.
Depending on the location and nature of your charity’s operations, there may be other state, federal or overseas legislation with which your charity must comply. You should consider getting legal advice to fully understand what legal obligations there may be for your charity.
Protecting your charity from financial abuse
Although the ultimate responsibility to protect a charity from financial abuse lies with the charity’s Responsible Persons, everyone has an important role to play.
It is important that each charity considers its own circumstances when considering its risks.
In many ways, good governance and strong financial management are a charity’s best defence against financial abuse. However, there are five specific steps that every charity can take to help it protect its resources from abuse:
- Identify and assess the risks, as well as any legal obligations
- Commit to zero tolerance for abuse
- Prevent and mitigate risks with good policies, procedures and systems
- Detect possible instances of financial abuse and non-compliance
- Take action when concerns, suspicion or complaints arise.
Most of these steps are simple and most charities will be able to take them. But if you think your charity doesn’t have anyone available with enough knowledge and experience, you may need to seek outside help.
Identify and assess
Conduct a risk assessment:
- identify the risks of financial abuse that your charity faces
- prioritise each risk according to its likelihood and consequences
- identify the policies, procedures and systems that will deal with the risks.
This is a methodical way to make sure that your charity has considered what could happen, and how it will approach incidents that do happen. You can conduct risk assessments for the whole organisation, for a particular department, or even for specific processes, programs or projects.
Risk assessments do not have to be complex and bureaucratic. A simple and methodical approach is best.
When conducting a risk assessment for financial abuse, use these points as a guide:
- Think broadly about all the things that could be targeted. This might include data, people, funds – even financial statements. Where are these things located? To what forms of financial abuse could they be exposed?
- Consider both internal and external activities, such as your charity’s supply chain, partners and subcontractors. What could go on just beyond your charity’s view?
- What is the likelihood of your charity’s resources being affected by these risks? How common are incidents like these?
- What might the consequences be in the case of an incident? Consider the effects on your charity’s beneficiaries, reputation, financial position, partners, and the morale of staff.
- Seek lots of information to understand the risks. Consult widely, for example through meetings, workshops and surveys, and identify information sources such as previous incidents, audit reports, events in other organisations, and media reports.
To get started, please see our template document for a risk assessment.
Once you have identified the likelihood and consequence of risks, you can focus on the most significant ones and address them with appropriate policies, procedures and systems.
Review the risk assessment regularly to make sure it is up to date – for example, an annual review may be appropriate or after significant changes in your charity’s operations.
Maintaining a registry of your charity’s legal obligations can also be helpful. This can help you keep track of any changes that may affect how your charity manages its risks.
Your charity’s leaders, whether they be its Responsible Persons or senior management staff, should clearly express their commitment to fighting financial abuse. This commitment could be demonstrated, for example, through written statements, endorsement of strong policies against financial abuse, or contributions to wider anti-fraud and corruption initiatives.
The cornerstone of your charity’s approach to managing risk, though, should be a policy that works to prevent financial abuse. Such a policy should:
- include a clear statement of commitment that your charity will not tolerate financial abuse
- define key terms, such as fraud, corruption and conflicts of interest
- give people specific responsibilities to manage the risk of financial abuse
- explain how people should report their suspicions, and what protections exist for those that do.
Everybody should be able to access the policy – beneficiaries, staff, volunteers, partners, vendors and suppliers, and perhaps even the public. It is good practice to make it available to the public.
Part of your charity’s commitment means making sure that all staff and volunteers understand the risks of financial abuse, how they can help prevent it, detect it, and act on incidents.
A good way to raise awareness among staff of the risks is to have regular informal discussions and workshops – for example, at a monthly meeting. But dedicated training on financial abuse and wrongdoing is always a worthwhile option. Also, there are many good resources available online for free.
Developing a culture that minimises the risk of financial abuse is an important and effective way to protect your charity. To help develop and maintain a culture that strengthens your charity against financial abuse, consider these questions:
- Does your charity express its values in a code of conduct?
- Does the leadership of your charity embody the desired culture, and do their words and actions encourage others to be part of it?
- To what extent do the people in your charity demonstrate integrity, transparency and accountability?
- How are these values built in to your charity’s governance, management processes, and systems?
- How do attitudes and events in your charity compare with the culture your charity wants to develop?
Policies, procedures and systems can reduce the likelihood and consequences of financial abuse. These are commonly called internal controls.
Internal controls should be appropriate for your charity’s circumstances. When creating them, the following principles might help you identify the best controls for your charity:
- Segregation of duties. Prevent and detect financial abuse by requiring more than one person to approve or carry out financial activities. For example, have a rule that means two or more people are needed to approve transactions or to count cash together.
- Access controls. Prevent abuse by limiting access to systems and storage. Who needs access to what, and why? This may include passwords for computer systems, and physical locks for safes, cabinets and rooms.
- Audit. Detect abuse with physical or electronic audits. This includes checking inventories of assets, stock and cash.
- Reconciliation. Detect abuse by carefully checking assets, funds, stock or documentation. For example:
- before approving a transaction, compare the invoice and the purchase order
- compare the balances in your charity’s books and records with its bank accounts
- look at inventory numbers - is anything missing?
- Standardising documentation. Detect and prevent abuse by having documented procedures and ensuring staff and volunteers follow them. Standard formats can help to promote good practices, highlight deviations, and make reviews easier.
- Approvals. Prevent abuse by having clear processes for approvals. In general, transactions of higher value or greater risk should be approved by higher authorities – and remember the importance here of having more than one person approve transactions.
- Due diligence. Prevent abuse by doing sufficient background research and checks for decisions involving finances. For example:
- before signing a contract, research the potential supplier
- before reimbursing an expense, check that it was a legitimate expense and there is a receipt to support it
- before employing someone, check their references and verify their identity.
- Trial balances. Detect abuse early with regularly checking your charity’s accounts.
Typically, a charity will set out its controls in policies and procedures such as:
- a code of conduct
- a policy for addressing conflicts of interest
- a policy, procedure or manual for finances
- a policy, procedure or manual for procurement, supply and logistics
- a policy and procedure for fraud control
These policies and procedures will be different according to the size and resources of a charity. For example, a small charity may have a single manual covering all these requirements, while a larger charity may need several different policies and procedures.
It may not be possible to prevent all incidents of abuse. But detecting incidents that slip through early, and taking immediate action in response, is important. The longer your charity takes to act on financial abuse, the worse the likely consequences will be.
A helpful concept is the red flag. A red flag represents suspicious activity that might indicate abuse. Red flags are not proof of anything bad, and there may be innocent explanations for things with a red flag, but it is important consider them as a possible indicator of financial abuse.
A red flag may be used for a single anomaly, such as a transaction at an unusual time, or it may be used for several things that become suspicious in a particular sequence or context.
The Association of Certified Fraud Examiners identifies five categories of red flag:
- Accounting anomalies. For example, missing supporting documents or unexplained journal entries
- Internal control weaknesses. For example, persistent failures, such as controls being overridden by managers, or no segregation of duties
- Analytical anomalies. For example, transactions that happen at odd times, or the dates on documentation being out of sequence
- Operational anomalies. For example, unusual events in the life of an organisation, such as high turnover of staff in a compliance team
- Behavioural anomalies. For example, staff living beyond their means, never taking leave, being over-defensive or protective of their work, personal financial problems or addiction to substances
Sometimes charity workers believe that because their charity has not detected any incidents of abuse, there are none to find. This is unwise because most forms of abuse are deliberately deceptive. Detection alone is a poor measure of the extent of incidents or the scale of the risks. It is important to consider whether there are any red flags, and whether your charity can identify them.
There are a range of ways to detect red flags.
- Active detection. This might include using data analytic software, or doing proactive reviews of processes, accounts and documentation.
- Passive detection. This might include:
- an overt reporting system in which people report suspicious activity to appropriate people in the charity
- a confidential reporting system in which people can report suspicious activity confidentially and anonymously.
Typically, ways to detect red flags are set out in policies and procedures, such as a confidential reporting or whistleblower policy.
It is important to take prompt action on potential incidents.
Your charity should have:
- a clear, documented process for managing a suspected incident
- clearly assigned roles and responsibilities – make sure people know who is responsible for doing what
- access to qualified and experienced staff to carry out investigations if necessary
- an effective procedure for dealing with misconduct
- a procedure for reviewing incidents to ensure that lessons are learned
- a procedure for reporting incidents to external parties if necessary, for example the police, the ACNC, or a partner or donor agency.
It is often a good idea to keep these documented processes and procedures together in a ‘Response Plan’.
When considering how to investigate a matter, consider:
- Does your charity have skills, experience and capability to properly investigate the matter? If your charity doesn’t have the capability, it is a good idea to seek support from outside.
- Would your charity be able to show that the investigation was sufficiently independent?
If your charity has to address an incident of financial abuse, it is crucial that it learns from the experience. Lessons could lead to:
- a new policy, procedure or process where previously none existed
- improving an existing policy, procedure or process
- training for current employees and volunteers
- hiring staff to fill necessary positions.
Case study: Learning from experience
A charity in Sydney provides after school care for disadvantaged children.
When it was first set up, the charity got advice from its accountant on some basic internal financial controls, but they never formalised this with written policies or procedures. The charity managed its finances using habits developed over a few years, informal practices and a lot of trust.
Recently, the charity issued credit cards to some staff to allow them to purchase essential items for their work, and sometimes card users let other staff or volunteers also use their cards.
After buying something with a credit card, the staff member responsible for it was supposed to send a copy of the receipt for their purchase to the charity’s bookkeeper, but they often forgot.
The charity CEO was not too concerned about this because she was happy to approve payments if the card user sent an email with details of the purchase and an explanation of why they made the purchase.
When following up a missing receipt, the bookkeeper noticed that the staff member who made the purchase had left the charity several weeks earlier. No one cancelled the staff member’s card when he left, and other staff and volunteers kept using it. There were many regular purchases on the statement, but there were also some questionable - and expensive - ones.
The charity’s board ordered a report on the charity’s financial processes. The report found several problems:
- There were no documented formal policies and procedures to help control finances
- The process for allocating the credit cards was too lax
- There were unnecessarily high limits on the credit cards
- Purchases were regularly approved without enough evidence
- There was a lack of resources to properly manage the charity’s finances.
The findings of the report led to changes. The charity:
- began regular mandatory reviews of transactions
- adopted a policy of zero tolerance for fraud and made staff and volunteers aware of the consequences of fraud
- provided a way for people – both staff and volunteers, as well as the general public – to report concerns about its financial activities
- reviewed its agreements with partners to make sure that the partners also had obligations to report any suspected incidents of financial abuse.
Having faced some allegations of financial misuse on social media, the charity decided to be open about its troubles and subsequent improvements. Its openness and transparency helped it build further trust and confidence within the community.
Financial abuse assessment
Template risk assessment
Financial abuse checklist
Other useful resources
- Protect your charity from fraud, ACNC
- Managing charity money, ACNC
- Managing conflicts of interest, ACNC
- Protecting charities from harm: Compliance toolkit, Charity Commission of England and Wales (UK)
- Indigenous governance toolkit, Indigenous Community Governance Project
- Protecting Your Organisation Against Fraud, NCOSS
- Internal controls for not-for-profit organisations, CPA Australia