Protect your charity from fraud

Since the ACNC's establishment, fraud and financial crime in charities have emerged as among the most common concerns the public have raised with us.

Clearly there is concern amongst members of the public about the financial operations of charities (even if the number of charities involved is very small) relative to the size of the sector.

Charities can be victims of crime in the same way as individuals and other parts of society, and the impact on them can be devastating.

Fraud surveys conducted in the Australian not-for-profit sector over the past decade have found between 10% and 15% of not-for-profits had suffered fraud in the two years previous, and that the average fraud committed ranged up to almost $23,000.

The surveys have also suggested a reluctance on behalf of some organisations to report or confront fraud.

This was due to concerns about the impact on their reputations, and thus their ability to raise funds and recruit volunteers, or about time being taken away from charitable work.

Many of the incidents of fraud reported in the Australian media involve substantial sums taken from charities over a long period of time, resulting in criminal investigation. These typically affect larger charities and are often committed by someone involved in running them - such as those in finance or payroll areas.

For smaller charities profiled in the media, funds or goods were taken by frontline staff and volunteers.

The risk that fraud involving charities will harm public trust and confidence in both individual charities and the sector generally highlights the importance of charities not only taking action to prevent fraud, but being transparent about their processes.

Of the concerns reported to the ACNC, and in many cases highlighted in the media, the main factors leading to fraud were breaches of trust and a lack of satisfactory controls.

While charities must individually weigh up the need for protective measures against administrative burden, all charities can take some simple steps that will significantly reduce the risk of fraud.

This guide sets out some of these steps and some strategies for charities to consider. Our suggestions fall under three aspects: prevention, detection and action to take if there is a problem.

Fraud is a form of dishonesty – where someone acts in a dishonest way so that they receive a benefit or someone else experiences a loss.

People can commit fraud in a variety of ways, including by:

• Making false representations
• abusing their position
• failing to disclose information, and
• using other forms of deception.

More than half the allegations of fraud the ACNC has received have related to the conduct and activities of senior and entrusted members of the charity, including the chief executive officer (CEO), directors (those on the governing body) and financial officers (such as the treasurer).

But fraud can be committed by any staff member (paid or volunteer) or any other person given some responsibility.

Fraud does not necessarily involve large sums of money. Fraud involving small amounts can still result in significant harm, particularly for smaller charities with limited resources.

It is often not just the financial loss that damages the charity; the impact on its reputation and the negative effect on the charity’s staff, volunteers and board or committee members can also be profound.

There are many different types of fraud, and the methods used are constantly evolving.

Generally speaking, fraud and other types of financial crime can be categorised as either:

• internal fraud - committed by someone within or connected to a charity
• external fraud - committed by someone with no connection to the charity at all.

Examples of internal fraud

• Stealing goods or money from charity shops or other trading activities
• Stealing cash donations
• Misusing charity banking facilities - including credit and debit cards, or internet banking accounts - for personal expenditure
• Claiming non-existent, excessive or inappropriate expenses
• Creating false or inflated invoices or purchase orders to obtain payment for goods and services that have not been supplied
• Submitting false applications for grants or other charitable benefits
• Creating non-existent beneficiaries or employees for the purposes of directing unauthorised payments.

Examples of external fraud

• Using false invoices to obtain money from a charity
• Committing identity fraud, for example, hijacking a charity’s bank account
• Unauthorised fundraising in a charity’s name, such as setting up a fraudulent disaster appeal website.

Charities are not necessarily any more vulnerable to fraud and financial crime than other parts of society. But there are characteristics many charities share that can attract opportunists and those with criminal intent.

These include:

• high levels of public trust and confidence that can provide a cover of respectability to those committing fraud
• a culture of trust, built on volunteerism and pursuit of common goals, that can enable the unscrupulous to operate with less suspicion
• a lack of segregation of duties and/or dependence on one or two individuals can result in ineffective oversight of funds and assets, particularly in smaller charities
• irregular cash flow in and out of the charity that can make suspicious activities harder to identify.

A charity's Responsible Persons have legal duties towards their charity.

They have a duty to act in the best interests of the charity, to avoid conflicts of interest and to act with reasonable care and diligence.

They should act in a way that protects the charity’s assets and ensures the charity’s financial affairs are managed in a responsible manner and for its charitable purpose. Their role includes:

• ensuring everyone - from the charity's board or committee, through to staff and volunteers - is aware of the risk of fraud and what it can mean for the charity
• using proper financial controls and procedures that are suited to the charity's size and nature
• acting responsibly and in the interests of the charity if it becomes the victim of fraud or other financial crime. This includes notifying the police and the ACNC and taking appropriate steps to manage the consequences of the fraud.

You can find out more about governance and managing a charity by referring to our Governance Standards, and by reading our Governance for Good guide.

Where charities operate overseas, they must also comply with the ACNC External Conduct Standards.

The four External Conduct Standards are intended to promote transparency and provide confidence that resources sent, or services provided, overseas reach intended beneficiaries and are used for legitimate charitable purposes.

Specifically, External Conduct Standard 3 requires charities to take reasonable steps to minimise the risk of corruption, fraud, bribery or other financial impropriety by persons working with the charity (including third parties working in collaboration with the charity).

You can find out more by referring to our External Conduct Standards guidance.

In identifying how to best protect your charity, you should consider:

• its ethical culture
• the communication flow within it, and
• its formal policies and procedures.

Importantly, these things must be considered together.

For example, detailed policies are ineffective if they are not promoted or championed by those who hold positions of responsibility, such as directors or CEOs.

With this in mind, we've listed six key things you can do to protect your charity:

1. Be clear about ethical values your charity prioritises, such as honesty and accountability. Talk about them and model them

It is important for board and committee members and managers to 'set the tone at the top’ on fraud and criminal behaviour. This includes ensuring that fraud, and the approach to responding to fraud, is understood within your charity.

Setting the tone at the top includes:

• establishing and communicating clear expectations about behaviours, roles and responsibilities
• developing a ‘no blame’ culture that enables the concerns to be voiced and queries listened to and followed up, and
• promoting fairness, and
• protecting those who report concerns.

2. Be open with those in your charity about the possibility of fraud, even if risk is low

Discuss what fraud is, what it might look like in your charity, and reaffirm you take the threat of fraud seriously.

3. Identify the types of fraud - both internal and external - your charity may be susceptible to

Fraud can be very difficult to identify, and opportunities for fraud exist at every stage of a charity’s activities.

Assessing your risks can help your charity prevent fraud by becoming more aware of the vulnerabilities it has.

Consider the risks relevant to your particular charity, such as those related to the types of activities it undertakes, the roles and responsibilities of staff/volunteers, and the banking procedures and fundraising methods it uses.

From there, document your risk assessment and schedule regular reviews of procedures. This is especially important if your charity's situation changes - for example, changes to activities, staff or funding levels and sources.

4. Understand your charity’s ‘red flags’ for fraud

It is important your charity understands any specific warning signs that may indicate fraud.

Your charity’s financial procedures

Most fraud can be detected by a charity’s internal controls or audit process. Regularly check your charity’s accounts and records and look for the following warning signs:

• Are reconciliations completed on a regular basis and checked for discrepancies?
• Have any documents, books or records gone missing?
• Are your financial documents photocopies rather than originals? This can indicate counterfeit documents
• Do alterations or deletions frequently appear on documents? This can indicate falsified records
• Are there any duplicated payments or cheques?
• Do transactions take place at unusual times with irregular frequency? Do they involve unusual amounts or unknown recipients?
• Are suppliers submitting electronic invoices in a format that can be altered?
• Are there unexplained variances from agreed budgets or forecasts?
• Have audits or reviews highlighted any inconsistencies or irregularities?

Behaviour of those in your charity – board or committee members, staff or volunteers

Most people who work and volunteer for charities are honest and law-abiding. But being a charity does not automatically make you immune from dishonesty.

When it does happen, fraud is often carried out by employees, including people in positions of trust.

A significant proportion of the fraud allegations the ACNC has received relate to the conduct and activities of senior and trusted members of the charity, including CEOs, directors and financial officers.

People commit fraud for a variety of reasons – to pay debts, out of greed or through opportunism. Be alert to the following behaviours:

• Does any person have sole control of a financial process from start to finish?
• Are vague responses being given to reasonable and legitimate queries? Are legitimate queries taking a long time to resolve?
• Does anyone with financial management responsibilities seem reluctant to accept help with their tasks, or unwilling to take holidays or leave?
• Has the format of financial information provided to your board changed or become more complicated?
• Is anyone trying to delay work reviews or audits?

When looking at risk indicators, it is worth remembering that:

• The typical perpetrator of fraud is a paid employee
• the most common types of fraud suffered are cash theft, payroll or credit card fraud, and
• having internal financial controls remains one of the most effective ways to uncover fraud.

5. Develop sound written policies and procedures

Sound written policies provide accountability and fraud prevention.

Detailed and robust financial procedures

The steps you take will depend on your charity's size and complexity.

We recognise that small charities often do not have access to the same resources, professional advice and risk management processes as large charities.

However, all charities can take some practical and sensible steps which will significantly reduce the risk of fraud. Use your judgement and knowledge of your charity to ensure that anti-fraud measures are appropriate and proportionate.

We suggest you:

• Separate duties where possible. For example, one person should not be solely responsible for authorising, completing and reviewing your charity ís financial transactions
• Keep proper financial records, and retain records of finance-related decisions as they are made. This might be in the form of meeting minutes, or emails and email exchanges.Transaction records should be detailed enough so that you can check that funds have been spent as intended
• Regularly checking your bank statements to ensure all amounts you expect to be banked are actually received in your charity's bank account. Have the accounts reviewed by more than one person
• Reconcile supplier statements, invoices and creditor balances - to check that invoices match payments
• Regularly change your internet banking password and limit the number of people who have access to it
• Make sure you know which staff or volunteers can access the charity ís accounts, including their level of access to the accounting system, and put in place a system to independently check transactions
• Establish a system where only certain people can approve orders or payments which exceed a particular amount of money. You can do random checks on spending below this amount
• Require at least two signatories for all bank account activity, including new debit or credit cards, and online banking. Ensure no banking can be done without both people signing
• Regularly review and spot check payroll records for any paid staff.

A fraud prevention policy

A fraud prevention policy is a written document that:

• describes actions and responsibilities for preventing, identifying and responding to incidents of fraud
• outlines the key responsibilities of senior staff and board or committee members (or trustees).

Developing and implementing a fraud prevention policy can help raise awareness of fraud risks, as well as help staff and volunteers take appropriate steps to prevent, detect and act if there is fraud.

Such a policy can be endorsed by a charity's governing body.

In developing a fraud prevention policy for your charity consider including:

• a short statement about what fraud means within the context of your charity - you could start with our simple definition of fraud and explain how it may apply to you
• a plan for how your charity will respond to fraud - who in the charity needs to be told and if anyone outside the charity needs to be informed
• how suspicions of fraud will be reported
• how your charity will provide fraud prevention training
• how and when your charity will review the policy.

Human resources procedures

Consider your recruitment process, ongoing training and how you communicate with staff. Practical steps include:

• using a clear job description and sufficiently detailed application form, and reference checking procedures
• ensuring certain standards are met when using volunteers, particularly in the areas of fundraising and money handling
• including fraud prevention policies and procedures in a staff handbook, and having designated staff responsible for them
• where possible, dividing duties between staff so irregularities can be spotted
• introducing supervisory and monitoring checks, where appropriate
• encouraging fraud awareness by training staff in the use of fraud prevention measures, such as financial controls and reporting suspicions
• making risk assessments a regular feature on the board meeting agenda - this ensures fraud is always considered and provides an opportunity to raise concerns
• having a whistleblowers policy that is supported
• having a prominently displayed code of conduct that sets out your charity's ethical culture and is used as a standard by which behaviour is judged.

6. Reporting suspected fraud or other criminal activity

Reporting fraud to the police

If you suspect a crime has been committed in your charity then you should report your concerns to the police as soon as possible. This helps ensure your charity, and the sector, is protected from fraud.

Where Commonwealth laws have been broken, the Australian Federal Police has primary law enforcement responsibility for investigating serious or complex fraud. More information can be found on the Australian Federal Police website.

Consider reporting fraud to your local police, particularly if the situation is urgent and there is a risk of immediate loss or harm.

• Australian Capital Territory
• New South Wales Police
• Northern Territory Police
• Queensland Police
• South Australia Police
• Tasmania
• Victoria Police
• Western Australia Police

Reporting fraud to your bank

If the fraud relates to your charity's bank account, cheques or your debit or credit card, you should immediately contact your bank or credit card company to organise a stop is put on access.

Reporting scams, misrepresentation or other fraudulent behaviour to other regulators

You can report a scam (like a fake website in a charity’s name) to SCAMwatch, a website run by the Australian Competition and Consumer Commission that provides information about how to recognise, avoid and report scams.

You can also report fraudulent behaviour to your state or territory consumer regulator, such as a consumer affairs or fair trade agency.

Reporting fraud to the ACNC

Criminal activity in a charity can indicate mismanagement. The ACNC will then consider if we need to act to protect the charity and those it helps.

Reporting incidents of fraud to the ACNC allows us to work with charities to manage the consequences of fraud and to support charities to act to better protect themselves.

The ACNC Act requires charities to report breaches of the Act as soon as practicable, and no later than 28 days after the charity has knowledge of the breach.

Reporting an incident of fraud to the ACNC is simple and easy to do. Please contact us – you may be asked to fill in a form and detail your concerns.

There is no minimum level that must be reported – charities themselves need to decide whether the incident is serious or significant enough to be reported. You should take into account the actual harm or potential risk to your charity - including to those it works to help, its assets, its staff, members, donors, funders and the public.

The ACNC expects instances of high value fraud or theft, or instances when there is media or public interest, to be reported immediately.

And while low value incidents may not seem important, they may be an indicator of a deeper issue in your charity. If you decide fraud is too minor to report, you should keep records and document your decision.

Reporting an incident is one way to demonstrate that your charity’s board or committee members (or trustees) are dealing with the issue appropriately.

Where a registered charity has been involved in fraud, or is the victim of fraud, the ACNC’s key areas of regulatory interest are:

• protecting the charity’s funds and assets
• maintaining, promoting and protecting trust and confidence in the charity and not-for-profit sector, and
• ensuring members of the governing body (board or committee members or trustees) comply with their legal duties and responsibilities in managing the charity.

Where a charity has been the victim of fraud we will generally work with it to understand the causes, help it protect assets and provide guidance and education to ensure fraud doesn’t re-occur.

Where the charity is not willing to work cooperatively with the ACNC, or the fraud has resulted from organisational or deliberate non-compliance, we are more likely to consider using our formal enforcement powers. These can include the ACNC revoking a charity's registration.

The ACNC works closely with law enforcement agencies, who generally take the lead in cases involving criminal offences.

We also work in partnership with the police and other agencies, and our role is to investigate any regulatory concerns that arise in connection with a registered charity.

This includes considering if there has been misconduct or mismanagement in a charity's administration, and any issues about the suitability of the charity’s trustees or board or committee members.

This case study helps illustrate:

• how a fraud can be uncovered,
• the warning signs the charity should have noted, and
• the steps the charity took towards addressing the situation.

Joseph is a director of A Charity Inc (‘ACI’), a small charity registered with the ACNC. He has also had full financial control of the charity for a number of years.

Staff at the charity first identified financial discrepancies when Joseph was on leave. He had not delegated any responsibility for the accounts.

Further investigation by staff into the inconsistencies showed that there had been a number of instances of potential credit card fraud. The staff of the charity immediately approached another director to express their concerns.

That director expressed surprise at the allegations, having only ever seen consolidated figures.

The charity’s board:

• notified the ACNC of their concerns,
• suspended the individual concerned,
• stopped requesting public funds (until the charity’s financial position, and solvency, was decided),
• launched an internal investigation, and
• communicated to members about the investigation and the action it had taken.

At the time of notifying the ACNC, the board had not contacted police.

The board called a meeting with staff to explain what had occurred and to reassure them that everything possible was being done.

The board continued to work closely with the ACNC to uncover the extent of the fraud, and to identify ways it could improve its financial controls.

The board then conducted a risk assessment, and reviewed the charity's policies.

1. Clear, written financial procedures and delegations (limits)

Have staff and volunteers follow proper financial controls. Always have two cheque signatories and, if possible, two people involved in handling and recording any money received.

Set clear financial delegations that restrict who can approve purchases or other transactions that exceed certain levels.

2. Robust human resources procedures

Ensure your recruitment processes are sound and have your charity provide ongoing training and communication to staff and volunteers about fraud prevention measures. This should include guidance on financial controls, and how to report suspicions.

3. Code of conduct

Demonstrate and encourage ethical behaviour. Display your code of conduct and embody it.

4. Financial responsibility

Ensure people with financial responsibility are competent and understand their role. It is a good idea to have written role descriptions that set out expectations of staff, including their financial responsibilities.

5. Fraud prevention policy

Develop a fraud prevention policy that specifies the steps your charity takes to prevent, identify and respond to fraud, as well as who is responsible for overseeing them.

6. Internet banking security

Ensure your accounts and online banking passwords are secure, and limit who has access to them. Regularly change your passwords.

7. Limit cash handling

The presence of large amounts of cash can encourage theft and fraud. Limit the amount staff and volunteers handle.

8. Monitor your charity's budget and bank accounts, and keep track of any grant funding

Review your bank accounts regularly and identify anything that does not make sense. Monitor your charity’s performance against its budget, and if you see a significant variation in spending or income, ask for more information.

Keep a record of all grant applications and how the grant funds were used.

9. Ask questions

Members of your board or management committee should be comfortable asking questions about the financial information they receive before each board or committee meeting. If you manage a charity, make people accountable and do not take anything for granted.

10. Understand the importance of reporting fraud

Ensure your staff and volunteers understand the importance of reporting fraud to senior management and that your charity has a clear process to report concerns to the police and the ACNC as soon as possible.