Compliance reviews

In this review, we focused on charities’ use of complex structures, including the reasons for their use, and the governance and compliance risks that may accompany their use.

The term 'complex structure' is not one that is defined in the ACNC Act or Regulations, but we use it as a descriptive term for charities that use (or are within) a corporate structure that includes multiple entities working together.

Operating within a complex structure is not, in itself, a problem or an indicator of poor governance, and the ACNC acknowledges that there can be good and legitimate reasons for these structures.

However, the use of complex structures comes with more complex governance matters for charities to consider and manage. And without careful management, these issues can lead to inadvertent non-compliance with relevant laws.

Charities operating within a complex structure, and their Responsible People, must ensure appropriate levels of oversight and governance are in place. The areas that require particular attention include:

• financial governance and controls, particularly in relation to related party transactions
• managing the increased likelihood of perceived or actual conflicts of interest arising
• ensuring that there is clarity around the roles of different corporate entities and the people who are responsible for, employed by or volunteer for them within a complex structure
• ensuring there is clarity in meetings or deliberations of Responsible People about what proposed decisions relate to which entities within a complex structure
• ensuring organisational policies and procedures and record-keeping practices are appropriate for each entity, and
• understanding potentially different legal obligations that apply to for-profit and charitable entities, and entities undertaking forms of regulated activities within a complex structure.

Review focus

Our review looked at how charities met their obligations under the ACNC Act and Regulations.

We wanted to understand why charities were operating within a complex structure, and how they managed areas of governance that may be more complex on account of their structure.

Key findings

All charities that took part in this review demonstrated satisfactory governance. This was because they:

• could demonstrate why their use of a complex structure assisted in fulfilling their charitable purpose
• tailored their governance practices to their specific structure, often with the support of specialist advice
• periodically reviewed their structure and governance practices to ensure their arrangements and practices were fit for purpose.

Reasons for using a complex structure

Our review found that charities managing governance appropriately had purposefully adopted their complex structures to fulfil operational needs or strategic plans.

The benefits of adopting a complex structure included:

• operational and strategic flexibility – charities often pursue their purposes through diverse activities such as service delivery, advocacy, fundraising and operating social enterprises. Different corporate structures may be better suited (or legally required) for specific activities, or to gain access to different types of funding sources.
• risk management and asset protection – activities with different risk profiles can be isolated or ‘ring-fenced’ within separate entities. This can help protect the assets and sustainability of a broader group by limiting exposure from higher-risk operations.
• tailored governance and expertise – charities may opt to appoint Responsible People with specialist skills relevant to specific activities that would benefit from more targeted oversight and guidance, without diluting a broader composition of the board for the ‘main charity’.
• shared services and resource efficiency – a group structure can enable centralised or shared services such as finance, HR, IT, legal, and governance support across multiple entities. This can reduce duplication, improve consistency, and achieve economies of scale, particularly in larger or more complex organisations.

Risks and governance considerations for complex structures

Charities we reviewed also acknowledged that complex structures came with increased complexity in governance considerations – partly because these charities may be undertaking a broader variety of activities in delivering their charitable purpose, and partly because of the complex structure itself. Two charities indicated that they intended to restructure their charity back into a single entity, as a matter of preference.

Key risks or considerations charities highlighted included:

• increased overall compliance burden – where different entity types and/or activities being undertaken were subject to various regulatory frameworks, the aggregate compliance burden for a complex structure could be substantial
• risks of silos – without great communication, having separate boards (and sometimes management) of multiple entities can lead to fragmented-decision making, or reduced visibility of risks or opportunities that impact on a group of entities
• increased potential for conflicts of interests and duties – having common boards or common directorships increases the potential for Responsible People to encounter conflicts of interest or fiduciary duties – particularly when multiple entities are transacting with one another to share resources or achieve other outcomes.

Some of the way charities managed these issues included:

• holding separate board meetings for each entity within a complex structure and ensuring record-keeping is well managed for each entity
• establishing group policies and governance frameworks – where possible, to apply consistent risk and compliance practices across entities
• providing training on governance and directors duties to ensure that Responsible People understood their obligations and the specific challenges or increased complexity associated with the complex structure in place
• obtaining independent, specialist advice for specific legal, financial or governance matters that may impact the entire complex structure or a specific entity within it
• periodically reviewing the complex structure to ensure that it remained suitable for the charities’ needs, and the governance and compliance requirements associated with the structure were being appropriately managed.

See our detailed guidance on complex structures for more information.

In this review, we focused on charities that had been registered with the ACNC for four years or less.

While the charities that participated in this review may have been relatively ‘young’, they had all recently engaged with the ACNC in an official, structured way through our registration process.

By finding out more about how a charity’s age affects their overall engagement with the ACNC – as well as their understanding of compliance obligations – we can better target our guidance for the sector.

Review cohort and focus

We reviewed 20 charities that had already reported to the ACNC at least once, and had been registered for four years or less. Of the charities that were reviewed, seven were small, eight medium and five large. Seventeen of the 20 operated in Australia only, while three also operated overseas.

The review cohort covered a variety of sectors, including housing, aged care and humanitarian charities.

Our review looked at how charities:

• kept up with their obligations to the ACNC, such as:
  • reporting to us – for example, through the submission of the Annual Information Statement
  • notifying us of changes to their charity – for example, to their Responsible People or to their governing document, and
  • complying with the ongoing obligations they have to the ACNC
• considered how their governance aligned with their governance obligations, such as those outlined in the ACNC Governance Standards and External Conduct Standards
• engaged with the ACNC in other ways, such as using our website.

Key findings

All charities that took part in this review had a good overall understanding of their compliance obligations to the ACNC, including reporting responsibilities and how to maintain good governance relative to their activities.

We identified areas of improvement for all charities we engaged with, and we provided advice and resources to each charity to strengthen its governance practices.

It is important that charities regularly review their governance to ensure robust measures are in place, and that they continue to be appropriate. The ACNC supports charities to address issues and stay on track by providing guidance and resources relating to key aspects of charity governance.

Other findings included:

• As all the reviewed charities had engaged with the ACNC relatively recently through the registration process, all had some level of awareness of the ACNC’s guidance and educational resources. However, most charities engaged with the ACNC’s resources ‘reactively’, meaning they only reached out when they had problems. Relatively few charities used ACNC resources ‘proactively’, such as improving their governance through the use of self-evaluation checklists, webinars, or podcasts.
• Review participants retain a positive attitude towards their compliance and reporting obligations to the ACNC. Most charities acknowledged that their obligations were a normal part of running a good charity that provided maximum benefit, rather than being an unnecessary burden. Generally, there was a trend that larger, better resourced charities had a better understanding of their obligations, as well as more robust governance. This suggests that smaller charities could make better use of free charity resources to support their work – including resources provided by the ACNC.

Charities can use our guidance, resources and tools to learn more about charity governance and obligations.

With charities increasingly becoming a target for cybercriminals – particularly if people try to access personal information so they can sell it or use it for fraudulent purposes – robust cyber security practices are essential.

‘Cyber security’ refers to protecting an organisation’s electronic information from unauthorised access.

For charities, this means protecting all electronic information related to finances and operations. It also covers the protection of any personal or sensitive information that a charity handles, as well as the protection of a charity’s electronic communications from unauthorised access.

The threat of cyber attack is real and poses a significant risk to charities. Regardless of your charity’s size, if it has donors, members, volunteers, staff or beneficiaries it likely holds personal information that could be taken and misused if there is an attack on your systems.

Cyber attacks can lead to financial losses, data breaches, issues with privacy, and reputational damage. Donors and beneficiaries can lose trust in the charity as a result, and public confidence in the wider sector can be affected.

Strong cyber governance helps protect charities’ sensitive data, ensures continuity of service in the event of a cyber incident, and helps protect protects donor and public trust and confidence.

Our review focus

Our review looked at cyber security as an emerging area of risk for charities. We aimed to identify key areas where charities could strengthen their governance to ensure they minimised cyber security risks, and to ensure they could manage a cyber incident if necessary.

Our review focused on risks relating to governance, financial mismanagement, fraud, and data breaches. We selected charities for the review based on their size, activities, source of revenue and beneficiaries; most of the 25 charities that participated in the review were large.

We evaluated charities based on:

• the cyber risks the charity identified
• how the charity protected itself from cyber attacks
• the steps the charity would take, or has taken, in the event of a cyber security breach.

Key findings

Most of the charities that took part in this review had satisfactory cyber security governance.

They achieved this by:

• having robust information and data management policies and procedures in place, as well as governance that enabled and supported board members in driving strong cyber governance practices
• promoting a strong culture of cyber security awareness to ensure the charity’s people understood common cyberthreats and best practice measures to manage them
• drawing on the latest cyber security resources, tools and advice freely available online through various lead agencies and organisations
• understanding the cyber security risks that the charity and its people face in context of its unique operating environment, and taking steps to actively monitor and manage these risks.

Some of the larger charities we reviewed were better resourced, and were able to invest more significantly in cyber security. For example, some had dedicated staff focused on managing these risks.

Smaller organisations we reviewed were often not as advanced in their approach to cyber security. Some smaller organisations drew on staff expertise in areas like information technology and were accessing resources that were free and already available.

Issues with cyber security governance were found when charities:

• paid little attention to cyber security risks
• did not have a plan to respond to cyber incidents
• lacked appropriate policies and procedures on data management and retention, including when working with third parties like contractors.

The appropriate steps for a charity to take in order to address the risk of cyber attack will depend on several factors, including the type of data the charity holds and how it is stored.

The Australian Cyber Security Centre lists several simple measures that all charities can take to protect themselves from cyber attacks and other threats. These include:

• regularly updating passwords, and ensuring strong passwords are required to access information
• reviewing access controls and determining which staff and volunteers need access to information
• using multi-factor authentication, whereby people logging into accounts are required to provide multiple ways to authenticate their identity – for example, a PIN or biometric factor
• using secure cloud services.

Other measures charities should consider to protect themselves include:

• providing annual cyber security training for staff and volunteers
• ensuring charity devices – for example, laptops – are locked and properly secured when not in use
• ensuring any charity information that is backed up electronically is also properly secured and can only be accessed appropriately.

There can be certain times or events that prompt charities to consider their cyber security risks. These include:

• when entering into or ending arrangements with third parties to hold charity data
• when upgrading or changing IT products
• when onboarding new staff, or when staff leave
• when launching new fundraising campaigns.

Seeking advice

Guidance on how to identify and prevent cyber risks can be found in our Governance Toolkit: Cyber security, including resources, templates and case studies.

There are also links to free and highly useful resources provided by key agencies, including:

• Australian Cyber Security Centre
• AICD Cyber Security Handbook for Small Business and Not-for-Profit Directors
• Infoxchange IT Services

In this review, we focused on safeguarding, which can be defined as protecting the welfare and human rights of people that are, in some way, connected with a charity or its work – particularly people that may be at risk of abuse, neglect, or exploitation.

Best practice for safeguarding is not limited to a charity's beneficiaries or the uses of its services; it can include a charity’s staff, volunteers, and third parties connected to the charity, such as suppliers and partners.

Safeguarding is an important focus area for the ACNC because ineffective safeguards can result in an increased risk of harm to people.

Review focus

We reviewed charities that faced safeguarding risks. Our review focused on how charities:

1. ensure people are suitable to be involved with the charity
2. identify and manage safeguarding risks
3. ensure their Responsible People understand and meet legal obligations to safeguard its people
4. allow people to raise concerns and report incidents and allegations of wrongdoing.

Key findings

The key lessons from the review were:

• Charities that engaged with the wider charity sector, or their specific sector (e.g., the disability sector) were able to share knowledge and resources. This reduced the individual burden on each charity.
• Strong safeguarding requires charities to take the time to establish appropriate processes, systems and procedures. The ACNC has existing resources, including templates and guidance, to help charities meet their safeguarding obligations. Smaller charities may also benefit from working with larger, more experienced charities and peak bodies.
• The charity sector acknowledges the importance of safeguarding and understands the risks of poor safeguarding.
• Safeguarding was often reflected in a charity’s culture but was not always documented in formal policies and procedures. This resulted in inconsistency in addressing safeguarding risks.
• Most charities were aware of their various legal obligations in relation to safeguarding. However, these obligations were rarely collected in a single place, such as a ‘legal obligations register’. This made it difficult to keep on top of changes to relevant legislation.

Safeguarding is part of a charity’s primary duty of care. To learn more about your charity's obligations, see our Governance Toolkit: Safeguarding vulnerable people.

Founders often bring great passion and drive to a charity and improve its ability to achieve its mission. But if a founder maintains disproportionate power and influence over a charity and its board, our review shows it can create a governance risk for that associated charity.

The authority for a charity’s governance should rest with the entire board, which should act in the best interests of the charity.

Power and influence should not be weighted strongly towards a particular individual.

Governance problems can arise when a charity’s people place a disproportionate amount of trust in, and reliance on, a founder – for example, allowing them to control the direction of a charity and make all the decisions without any formal processes or input from others. This is sometimes called ‘Founder’s Syndrome.’

Our review into charities where founders maintain key roles focused on three areas:

1. the role of the founder, and how that role has changed over time
2. the charity’s financial management, as well as how it ensures its operational decision-making is in its best interests (for its particular charitable purpose), and
3. how the charity manages conflicts of interest and related party transactions.

Our compliance reviews identified areas of concern in relation to governance experienced by some charities with founders who maintained key roles:

• financial management
• conflicts of interest and related party management
• independent oversight and decision-making
• record-keeping.

These issues can more commonly occur in smaller charities that have an overreliance on the founder being ‘hands on’ in their day-to-day activities, and that did not demonstrate good governance and robust decision-making processes.

During our compliance review we identified more specific issues that could cause risks for charities. They included:

• the founder appointing friends and family to boards, rather than making appointments based on charity needs and skills required for good governance
• charity activities evolving over time and not being aligned to the charitable purpose for which the charity is registered
• poor financial management practices, including a lack of independent and proper financial oversight, especially in the areas of charity income and expenditure
• a failure to have, or adhere to, decision-making policies and procedures
• a lack of objective and independent decision-making to ensure the charity’s best interests were maintained
• a failure to recognise and manage conflicts of interest and related party transactions where the founder had a relationship with people and businesses connected to the charity
• decisions about remuneration paid to founders in paid positions lacked evidence of objective and independent decision-making
• a failure to keep proper records.

In a few cases, charities used family connections to source services that were then provided to the charity for a fee.

While charities felt this provided an efficient and cost-effective solution for the charity, they were unable to demonstrate measures that showed transparent and independent decision-making, and that the charity’s best interests were being considered and maintained through the arrangement.

Such measures could include proper tendering processes or obtaining independent quotes for services, rather than automatically awarding contracts to related parties.

We were pleased that some charities had already taken steps to mitigate risks associated with retaining a founder on their board well beyond the start-up phase. In some cases, the founders themselves identified risks and took steps to recruit the right people with appropriate skills to the board.

Where improvements were required, we encouraged charities and their board members to complete relevant ACNC online learning modules. These modules help charities understand their obligations and provide guidance on steps they can take to ensure good governance practices.

Below are steps a charity can take to ensure good governance while a founder remains in a key leadership role:

• Engage a diverse and appropriately skilled board, with skills and experience appropriate to charity needs. This includes ensuring a majority of charity board members are not related to the founder through family or personal relationships.
• Have robust policies, procedures and processes to ensure good governance. Any policies, procedures and processes should also provide charities with guidance on what to do in circumstances where people – including founders – are not doing the right thing.
• Ensure robust strategic planning processes.
• Establish clear succession planning processes which sees a charity envisaging what it will be like without its founder and then putting in place strategies to ensure continuity and viability.
• Establish strategies to identify and protect intellectual property of high value, or critical to the charity.
• Ensure any decisions about contracts awarded to, or remuneration paid to, founders or their family members, are made transparently by people not related to founders or their family members.
• Ensure steps are taken to appropriately manage conflicts of interest, and ensure that founders do not improperly influence decisions.
• Ensure independent people manage any founder that might be in a paid position with a charity. This includes ensuring a founder is accountable for their performance through the use of documented performance measures and expectations.
• Ensure someone other than a founder is responsible for oversight of expenditure, and that expenditure is reviewed by independent people with relevant skills – for example, the treasurer.

Our data analysis indicated that problems with sustainability or compliance can first emerge three or four years after a charity’s establishment.

We identified several warning signs among charities:

• a decline in revenue
• reduced volunteer support
• failure to submit Annual Information Statements.

Our review work focused on charities registered in the previous four years, and whose revenue had recently declined.

These findings are informing the guidance we provide to charities.

There are many ways Australian charities help vulnerable children in overseas countries. These include supporting orphanages and other institutions, as well as running programs focused on health, education and protection.

But undertaking this work creates an obligation on these charities to ensure their funds are used appropriately, and that vulnerable children are protected.

We reviewed 17 charities identified as helping vulnerable children overseas, 10 of which supported orphanages or similar institutions. And we found that while most had satisfactory governance, there was room for improvement.

We assessed three charities as having inadequate governance, and have since provided them with guidance on addressing their specific issues.

The key findings were that:

• most charities were not only aware of the significant safeguarding risks that went with their work, but also managed them effectively
• charities relied heavily on overseas partner charities’ governance practices. While this reliance can produce satisfactory outcomes, Australian charities can improve risk management and safeguarding by having their own processes to review the performance of overseas partner charities
• some charities had other, larger Australian charities that were members of the Australian Council for International Development (ACFID) implement their programs. Doing so provided levels of governance they could not deliver themselves
• charities usually exhibited responsible financial management.

We developed and delivered a communications strategy for those Australian charities that supported children overseas.

The strategy included:

• updates to guidance, with the addition of relevant case studies
• a direct mail campaign to remind charities of their obligations, and to encourage them to read the guidance the ACNC had available
• a campaign aimed at promoting our findings to charities, as well as promoting best practice.

Key lessons from the review were that:

• charities that worked with vulnerable children overseas should understand beneficiaries’ needs and ensure their programs protect them
• charities that worked with partner organisations overseas must ensure they have oversight of the partner’s activities. This includes ensuring there are measures to protect beneficiaries, to account for funds, and to document outcomes
• charities must assess risks associated with overseas activities and implement appropriate policies and processes for managing those risks.

We regularly analyse data to identify risks in the charity sector. This is turn helps us focus our compliance work on areas of highest risk.

Our analysis indicated that charities with large boards were more likely to face issues of non-compliance. However, this finding did not match our experience regulating the sector.

To test the finding drawn from our data analysis, we reviewed a selection of charities with large boards. And counter to our analysis, the review concluded that there was no correlation between large board size and non-compliance.

This saw us change our risk profiling method to improve how we selected cases for investigation or other compliance work.

Investigations are our key mechanism for addressing non-compliance – and help us maintain public trust and confidence in charities – so it is crucial that we maximise the effectiveness of this work.

In this review, we assessed how charities that responded to the 2019-20 bushfires directed their resources to help support affected Australians.

We examined this group of charities because of both the significance of the disaster, and the public criticism of charities’ response.

We initially reviewed three high-profile charities that received significant levels of donations. The reviews found that these charities’ responses had been appropriate because they had:

• specifically set aside funds for disaster response
• effectively planned their response and the use of funds
• prepared for a long-term response to address the ongoing effect of the bushfires
• put processes in place to prevent fraud.

We detailed these reviews in our public report Bushfire Response 2019-20 – Reviews of three Australian charities.

The key lessons were that:

• despite pressure to act quickly during a disaster, charities must plan the allocation of their resources so they can provide funds both immediately and then respond to longer-term community needs
• charities must keep donors informed about how they are using donated funds
• charities must use donated funds only for the charitable purposes stated in their constitutions
• members of the public should check the ACNC Charity Register to see if an organisation is a registered charity before making a donation
• because third-party fundraising campaigns are often not controlled by charities, members of the public should check that the charity they want to support endorses a campaign before they donate
• significant increases in donations often require charities to scale up operations. If this occurs, charities should be prepared to bring in support to manage these changes, and to ensure adequate financial and governance controls are in place
• it is legitimate for charities to incur reasonable costs associated with delivering services
• charities must conduct appropriate fraud-prevention checks before using donated funds.

Our findings were communicated through a promotional campaign that included a nationally syndicated media release and radio grabs.

The ACNC Commissioner wrote an opinion piece published in The Australian, as well as a column outlining the findings and key lessons that was then sent to all charities.

We also produced a webinar and three podcast episodes on the topic.

Subsequently, we reviewed five more charities’ responses to the 2019-20 bushfires. We were similarly satisfied that they responded appropriately and used donated funds effectively.

Because there were no significant new findings, we did not publish an additional report. However, we did provide public comment on the outcome of this set of reviews.

Our findings can be applied to any charity involved in any disaster response, such as the 2022 floods in New South Wales and Queensland.

The need for charities to act diligently and to plan and target their response remains relevant. By doing so, those charities involved in disaster response will be able to better help affected communities and work to maintain public confidence in their capabilities.

These lessons have been incorporated into our guidance, and into our advice and support messaging on disaster relief and recovery.

We continue to see the value of this report through its ongoing citation in media discussion of charity disaster response. It has helped the public better understand how charities work and has helped support public confidence in charities that engage in disaster response and recovery.