Fraud and fraud-related issues are among the biggest areas of concern for charities, and ones we hear a lot about at the ACNC.
Fraud can, of course, vary in nature. It can involve the theft of funds, goods or assets, or encompass issues such as overpayment of wages or attempts to claim excessive or unauthorised expenses.
Some charities may be reluctant to report fraud due to the reputational issues it can cause them, and the fear that, in turn, it can damage their ability to attract donations and recruit volunteers.
Some charities may also be reluctant to divert time and resources from their core work in order to address these instances of fraud.
However, the very real risks that fraud poses, and the harms it can cause to public trust and confidence in both individual charities and across the sector, highlight how vital it is that charities take steps to:
- prevent and detect fraud, and
- respond to any instances of fraud.
This guide highlights some of the risks to which for charities can be vulnerable, and provides some practical steps that your charity and its Responsible People can take to prevent, detect, and act in response to fraud.
It is aimed at Responsible People (board or committee members, or trustees) and other senior charity staff. It will also be of interest to employees and volunteers.
Fraud occurs when a person acts in a dishonest way so that they receive a benefit or someone else experiences a loss.
People can commit fraud in a variety of ways, including by:
- making false representations
- abusing their position
- failing to disclose information, and
- using other forms of deception.
Many of the allegations of fraud the ACNC receives related to the conduct and activities of senior and entrusted members of the charity, including the chief executive officer (CEO), Responsible People and financial officers like the treasurer.
But fraud can be committed by any staff member, any volunteer or any other person with some level of responsibility.
Fraud does not necessarily need to involve large sums of money either. Fraud involving small amounts can still cause significant harm, particularly for smaller charities with limited resources.
And beyond any damage caused by the financial loss resulting from a fraud; the impact on its reputation and the negative effect on a charity’s staff, volunteers and Responsible People can also be profound.
Types of fraud
There are many different types of fraud, and the methods used to commit them are constantly evolving. But generally fraud and other types of financial crime can be categorised as either:
- internal fraud – committed by someone within or connected to a charity
- external fraud – committed by someone with no connection to the charity.
Examples of internal fraud include:
- misusing charity banking facilities – including credit and debit cards, or internet banking accounts – for personal expenditure
- claiming non-existent, excessive or inappropriate expenses
- creating false or inflated invoices or purchase orders to obtain payment for goods and services that have not been supplied
- submitting false applications for grants or other benefits
- creating non-existent beneficiaries or employees for the purposes of directing unauthorised payments.
Examples of external fraud include:
- using false invoices to obtain money from a charity
- committing identity fraud, for example, hijacking a charity’s bank account
- unauthorised fundraising in a charity’s name, such as setting up a fraudulent disaster appeal website.
Many of the incidents of fraud reported on by the Australian media involve substantial sums taken from charities over a long period of time, resulting in criminal investigation.
These typically affect larger charities and are often committed by someone involved in running them - such as those in finance or payroll areas.
For smaller charities profiled in the media, the common issue is funds or goods taken by frontline staff and volunteers.
Of the concerns reported to the ACNC, and in many cases highlighted in the media, the main factors leading to fraud were breaches of trust and a lack of satisfactory controls.
While charities must individually weigh up the need for protective measures against administrative burden, all charities can take some simple steps that will significantly reduce the risk of fraud.
Charity vulnerability to fraud
It is important to note that charities are not necessarily any more vulnerable to fraud and financial crime than other parts of society. But there are characteristics many charities share that can attract opportunists and those with criminal intent.
- high levels of public trust and confidence, which can provide a cover of respectability to those committing fraud
- a culture of trust, built on volunteerism and pursuit of common goals, that can enable the unscrupulous to operate with less suspicion
- a lack of segregation of duties, or over-dependence on one or two individuals within a charity, that can result in ineffective oversight of funds and assets, particularly in smaller charities
- irregular cash flow in and out of the charity that can make suspicious activities harder to identify.
Governance Standard 5 outlines the legal duties that Responsible People have to their charity.
Responsible People have a duty to act in the best interests of their charity, to avoid conflicts of interest and to act with reasonable care and diligence.
They should act in a way that protects their charity’s assets and ensures its financial affairs are managed in a responsible manner and for its charitable purpose.
Their role includes:
- ensuring everyone – from the charity's board or committee through to staff and volunteers – is aware of the risk of fraud and what it can mean for the charity
- using proper financial controls and procedures suitable for their charity's size and nature
- acting responsibly and in the interests of their charity if it becomes the victim of fraud or other financial crime – this includes notifying the police and the ACNC, as well as taking appropriate steps to manage the consequences of fraud.
Where charities operate overseas, they must also comply with the ACNC External Conduct Standards, which aim to promote transparency and give confidence that resources sent overseas or services provided overseas reach their intended beneficiaries, and are used for legitimate charitable purposes.
Specifically, External Conduct Standard 3 requires charities to take reasonable steps to minimise the risk of corruption, fraud, bribery or other financial impropriety by those working with the charity (including third parties working in collaboration with the charity).
Protecting your charity from fraud
In identifying how to best protect your charity, you should consider:
- its ethical culture
- the communication flow within it
- relevant fraud risks and red flags.
Importantly, these things must be considered together, and reflected in your charity's policies and procedures. Keep in mind, policies are ineffective if they are not supported by your charity’s culture and promoted by those who hold positions of responsibility.
Your charity should be clear about the ethical values it prioritises, such as honesty and accountability.
This means your charity’s Responsible People and managers need to set the tone at the top. There are several ways they can do this:
- establish and communicate clear expectations about behaviours, roles and responsibilities
- develop a ‘no blame’ culture that enables any concerns to be voiced and queries listened to and followed up
- promote fairness, and protect those who report concerns.
Discuss what fraud is and what it might look like in your charity. Identify the types of fraud, both internal and external, that your charity may be susceptible to.
Consider the risks relevant to your particular charity, such as those related to the types of activities it undertakes, the roles and responsibilities of staff and volunteers, and the banking procedures and fundraising methods it uses.
This work will help you assess risks, but also increase awareness and understanding of any specific warning signs – red flags – that may indicate fraud.
You may identify red flags relating to your charity's financial procedures, or the behaviour of Responsible People, staff or volunteers.
Most fraud can be detected by a charity’s internal controls or audit process. Regularly check your charity’s accounts and records and look for the following warning signs:
- Are reconciliations completed regularly and checked for discrepancies?
- Have any documents, books or records gone missing?
- Are your charity’s financial documents photocopies rather than originals? This can indicate counterfeit documents.
- Do alterations or deletions frequently appear on charity documents? This can indicate falsified records.
- Are there any duplicated payments or cheques?
- Do transactions take place at unusual times with irregular frequency? Do they involve unusual amounts or unknown recipients?
- Are suppliers submitting electronic invoices in a format that can be altered?
- Are there unexplained variances from agreed budgets or forecasts?
- Have audits or reviews highlighted any inconsistencies or irregularities?
Behaviour of Responsible People, staff or volunteers
Most people who work and volunteer for charities are honest and law-abiding. But being a charity does not automatically make you immune from dishonesty.
When it does happen, fraud is often carried out by employees, including people in positions of trust.
People commit fraud for a variety of reasons – to pay debts, out of greed or through opportunism. Be alert to the following behaviours:
- Does any person have sole control of a financial process from start to finish?
- Are vague responses being given to reasonable and legitimate queries? Are legitimate queries taking a long time to resolve?
- Does anyone with financial management responsibilities seem reluctant to accept help with their tasks, or unwilling to take holidays or leave?
- Has the format of financial information provided to your board changed or become more complicated?
- Is anyone trying to delay work reviews or audits?
When looking at risk indicators, it is worth remembering that:
- the typical perpetrator of fraud is a paid employee
- the most common types of fraud suffered are cash theft, payroll or credit card fraud
- having internal financial controls remains one of the most effective ways to uncover fraud.
Once you have completed a risk assessment, document it and schedule regular reviews of procedures.
This is especially important if your charity's situation changes – for example, if there are changes to activities, staff or funding levels and sources.
Policies and procedures
Sound written policies and procedures provide accountability and fraud prevention.
Charities should have detailed and robust financial procedures in place, as well as a fraud prevention policy and human resources procedures to protect from fraud.
The steps you take will depend on your charity's size and complexity. Remember that all charities are required to keep financial and operational records.
We recognise that small charities often do not have access to the same resources, professional advice and risk management processes as large charities.
However, all charities can take some practical and sensible steps to significantly reduce the risk of fraud. Use your judgement, and your knowledge of your charity, to ensure that anti-fraud measures are appropriate and proportionate.
We suggest you:
- separate duties where possible – for example, one person should not be solely responsible for authorising, completing and reviewing your charity’s financial transactions
- keep proper financial records, and retain records of finance-related decisions as they are made – this might be in the form of meeting minutes, or email exchanges
- ensure transaction records are detailed enough so that you can check that funds have been spent as intended
- regularly check your bank statements to ensure all amounts you expect to be banked are actually received in your charity's bank account, and have the accounts reviewed by more than one person
- reconcile supplier statements, invoices and creditor balances to check that invoices match payments
- regularly change your internet banking password and limit the number of people who have access to it
- ensure you know which staff or volunteers can access the charity’s accounts, including their level of access to the accounting system, and put in place a system to independently check transactions
- establish a system where only certain people can approve orders or payments which exceed a particular amount of money – you can do random checks on spending below this amount
- require at least two signatories for all bank account activity, including new debit or credit cards, and online banking –ensure no banking can be done without both people signing
- regularly review and spot check payroll records for any paid staff.
A fraud prevention policy is a written document that:
- describes actions and responsibilities for preventing, identifying and responding to incidents of fraud
- outlines the key responsibilities of senior staff and Responsible People.
Developing and implementing a fraud prevention policy can help raise awareness of fraud risks, as well as help staff and volunteers take appropriate steps to prevent, detect and act if there is fraud.
This policy can be endorsed by a charity's governing body.
In developing a fraud prevention policy for your charity consider including:
- a short statement about what fraud means within the context of your charity – you could start with our simple definition of fraud and explain how it may apply to you
- a plan for how your charity will respond to fraud – who in the charity needs to be told and if anyone outside the charity needs to be informed
- how suspicions of fraud will be reported
- how your charity will provide fraud prevention training
- how and when your charity will review the policy.
Consider your recruitment process, ongoing training and how you communicate with staff.
Practical steps include:
- using a clear job description and sufficiently detailed application form, and reference checking procedures
- ensuring certain standards are met when using volunteers, particularly in the areas of fundraising and money handling
- including fraud prevention policies and procedures in a staff handbook, and having designated staff responsible for them
- where possible, dividing duties between staff so irregularities can be spotted
- introducing supervisory and monitoring checks, where appropriate
- encouraging fraud awareness by training staff in the use of fraud prevention measures, such as financial controls and reporting suspicions
- making risk assessments a regular feature on meeting agendas – this ensures fraud is always considered and provides an opportunity to raise concerns
- having a whistleblower policy that is supported
- having a prominently displayed code of conduct that sets out your charity's ethical culture and is used as a standard by which behaviour is judged.
If you suspect your charity has fallen victim to fraud, you should report it immediately.
Report any suspected instances of fraud to the police as soon as possible. This helps ensure your charity, and the sector, is protected from fraud.
Where Commonwealth laws have been broken, the Australian Federal Police has primary law enforcement responsibility for investigating serious or complex fraud.
Consider reporting fraud to your local police, particularly if the situation is urgent and there is a risk of immediate loss or harm.
You can report a scam (like a fake website in a charity’s name) to SCAMwatch, a website run by the Australian Competition and Consumer Commission (ACCC) that provides information about how to recognise, avoid and report scams.
You can also report fraudulent behaviour to your state or territory consumer affairs or fair trading regulator.
Reporting incidents of fraud to the ACNC allows us to work with charities to manage the consequences of fraud and to support charities to act to better protect themselves.
We take information-handling and privacy seriously, and do not comment publicly about individual ACNC investigations.
The ACNC Act requires charities to report breaches of the Act, Governance Standards or External Conduct Standards as soon as practicable, and no later than 28 days after the charity has knowledge of the breach.
Reporting an incident of fraud to the ACNC is simple and easy to do. You can use Form 3C: Notification of contravention or non-compliance to do so.
There is no minimum level that must be reported – charities themselves need to decide whether the incident is serious or significant enough to be reported. Your charity should take into account the actual harm or potential risk to your charity – including to those it works to help, its assets, its staff, members, donors, funders and the public.
The ACNC expects instances of high value fraud or theft, or instances of fraud where there is media or public interest, to be reported immediately.
And while low value incidents may not seem important, they may be an indicator of a deeper issue in your charity. If you decide fraud is too minor to report, you should keep records and document your decision.
Reporting an incident is one way to demonstrate that your charity’s board or committee members are dealing with the issue appropriately.
Fraud may also be reported by staff or volunteers, or by member of the public raising a concern about the charity. We take information-handling and privacy seriously, and do not comment publicly about individual ACNC investigations. For more information, see our Commissioner's Policy Statement: Complaints about charities.
Our approach to reports of fraud
If a registered charity has been involved in fraud, or is the victim of fraud, the ACNC’s key areas of regulatory interest are:
- protecting the charity’s funds and assets
- maintaining, promoting and protecting trust and confidence in the charity and not-for-profit sector, and
- ensuring members of the governing body comply with their legal duties and responsibilities in managing the charity.
Where a charity has been the victim of fraud, we will generally work with it to understand the causes, help it protect assets, and provide guidance and education to ensure fraud doesn’t re-occur.
If the charity is not willing to work cooperatively with the ACNC, or the fraud has resulted from organisational or deliberate non-compliance, we are more likely to consider using our formal enforcement powers. These can include the ACNC revoking a charity's registration.
The ACNC works closely with law enforcement agencies, who generally take the lead in cases involving criminal offences.
We also work in partnership with the police and other agencies, and our role is to investigate any regulatory concerns that arise in connection with a registered charity.
This includes considering if there has been misconduct or mismanagement in a charity's administration, and any issues about the suitability of the charity’s trustees or board or committee members.
Criminal activity in a charity can indicate mismanagement. If an instance of fraud is reported to the ACNC, we will then consider if we need to act to protect the charity and those it helps.
Our approach is outlined in our Regulatory Approach Statement.
Things to remember
- Have clear, written financial procedures (such as requiring two cheque signatories) and delegations that restrict approvals for transactions over a certain dollar amount.
- Ensure your recruitment processes are sound, and that there is ongoing training and communication to staff and volunteers about fraud prevention measures. This should include guidance on financial controls, and how to report suspicions.
- Demonstrate and encourage ethical behaviour by displaying and embodying your code of conduct.
- Ensure people with financial responsibility are competent and understand their roles. It is a good idea to have written role descriptions that set out expectations of staff, including their financial responsibilities.
- Develop a fraud prevention policy that specifies the steps your charity takes to prevent, identify and respond to fraud, as well as who is responsible for overseeing them.
- Ensure your accounts and online banking passwords are secure, and limit who has access to them. Regularly change your passwords.
- Limit the amount of cash staff and volunteers handle, as large amounts can encourage theft and fraud.
- Review your bank account statements regularly, and identify anything that does not make sense.
- Monitor your charity’s performance against its budget, and if you see a significant variation in spending or income, ask for more information.
- Keep a record of all grant applications and how the grant funds were acquitted.
- Ask questions about financial information. Ensure people are accountable, and do not take anything for granted.
- Ensure your staff and volunteers understand the importance of reporting fraud to senior management and that your charity has a clear process to report concerns to the police and the ACNC as soon as possible.