Our October webinar, staged to coincide with Charity Fraud Awareness Week, looked at the different aspects of charity fraud examined the practical ways a charity can guard against fraud.
Protecting Your Charity Against Fraud, as you should be able to see on the screen there. My name is Matt Crichton and I’m from the ACNC’s education team, as my name is listed there, alongside two other names of very important guests today, Mr Oliver May from Deloitte and James Bennett from the ACNC, who will guide us through this panel discussion format about all things charity fraud and provide some practical tips and advice on what charities can do to help prevent and mitigate, and even manage instances of fraud.
Okay, we’ve got a few things to get through today, but actually, before we do get to the agenda, although I have put that on the screen, a few bits and pieces of admin.
First things first: if you’re having trouble with the audio for this webinar, you should have an option to dial in, and that may help out. In the confirmation email you would have received upon registration there will be some instructions there on calling a number to listen to the webinar if you are having trouble otherwise.
Also, we’ve got a couple of colleagues answering questions as we go through, so if you have any questions that you want answered as you’re listening, feel free to put them in the question box there and GoToWebinar control panel. Our colleagues Chris and Bree will happily assist with any questions.
Look, if we’re getting a lot of the similar questions come through, we may address those issues live with Ollie and James. If we can’t get to your question because we do have quite a crowd in today, we will endeavour to get back to you later via email.
Also, we have the slides as you can see on the screen here, but you can also see us speaking. So, depending on the device you’re using, you should be able to toggle between viewing the slides and viewing the speakers or viewing everybody if you want as well. I think that’s an option.
That will depend on the device you’re using. I think if you’re using a phone or a tablet it may be a matter of swiping between the viewing options. But if you're on a desktop computer or a laptop it may be that you minimise the windows and you can see the different options there. Then if you want to see everyone or just the speaker or just the presenters then you've got the option to do that too.
Okay, and of course, we are coming to you from our home studios or varying degrees of audio and visual professionalism. So, if you do come across some of the typical sounds of the home, that's the reason why, we’re all still working from home. So, there might be the odd dog barking or lawn mower outside, that sort of thing. We hope it won’t interfere too much.
Now on to the agenda today. So, we’re going to get through a fair bit. We’ve broken it up into three main sections. We’re going to have a look at basically what fraud is and some of the elements of fraud, the types of fraud and looking at charity vulnerability and susceptibility to fraud.
Then some of the more practical aspects in that third section thereof preventing, mitigating and managing fraud. That will touch on some of the warning signs too, so we'll have a look at the sorts of things that as people involved in charities, that you should be looking out for.
Then we'll finish it up with a question and answer session and again, as I mentioned, if there are questions that keep popping up throughout the webinar, then we'll address those at the end. But feel free to watch the discussion properly before you send a question too.
Okay, let's get started. This is the first topic, what is fraud? But before we do so, I'll just ask the two guests today to just introduce themselves. Good morning, James Bennett from the ACNC. Do you want to give the audience a quick overview of your role at the ACNC and your experience?
Thanks, Matt. Yeah, so I’m the Director of Compliance at the ACNC. That takes into account our intelligence and investigations functions. I’ve been there for about two years. It’s part of a nearly 20 year career, mostly in the public service, and largely around compliance and audit functions.
Great. Oliver May, not from the ACNC, from Deloitte. Do you want to give the audience a brief introduction of your role at Deloitte and your experience?
Absolutely, thanks Matt and good afternoon everybody. So, I started my career in law enforcement in the UK, mostly in the Serious Organised Crime Agency, which is now the National Crime Agency and was a bit like the AFP or the FBI.
After that, I became the Head of Counter Fraud for Oxfam GB working across 54 countries, 31,000 staff and volunteers and now I assist non-profits, government agencies and corporates to tackle integrity challenges, like fraud, corruption, sexual exploitation abuse and counterterrorism.
I'm really passionate about helping the sector to protect the awesome work that it does from that unfortunate side of human nature. It was a particular pleasure to collaborate with the ACNC to develop the Governance Toolkit.
Yes, definitely and we hope a lot of people of gotten a lot of use out of those resources on the website over the past couple of years.
So, clearly lots of experience to draw upon today and let's get into it with the first part of today's session which is what is fraud. You can see the question there. Of course, everyone has an idea of fraud and just generally, colloquially we know what fraud means.
But getting beyond that, James I’ll go to you first, could you just give us a quick overview of what fraud may encompass beyond that which is the regular understanding, I suppose?
Sure. So, there’s the criminal definition where we’re really talking around someone obtaining a benefit or creating a loss for another person by deception. So, that's the criminal definition that will normally be by law enforcement agencies, the police.
There's a broader concept, I think what we’re really talking about, is to me its misuse. It’s one of the things that I guess we see in the work that we see in the work that we do at the ACNC is where someone is misusing their position or misusing charity resources or using one to do the other to obtain a benefit for themselves.
So, I think like I said, I would define it as misuse and it’s the broader concept. One of the things we often end up talking about we benefit. So, a charity decision maker, using their position to get a private benefit, usually money, not always, from their position within the charity. That’s definitely the thing that we see more and I think it fits within that broader concept of fraud that we’re talking about today.
Yeah, right. Ollie, what are your thoughts on this question, what is fraud and what it encompasses?
Yeah, I think there’s a couple of points that charity sometimes miss on this and I think the first is that fraud is not just about making a gain, it can also be about causing a loss. So, there was a case I dealt with where a legislation may have committed fraud to swing a contract to a particular supplier. They were falsifying quotation documents. That wasn’t because they received a kickback, it was because they were under time pressure and wanted to get the job done. They had that mission focus. But unfortunately of course in doing so, they caused a massive overpayment, so there was that loss there.
Another thing that I think that’s important to remember is that it’s also about it could be fraud to misrepresent your skills or your capabilities, so individuals lie on a CV, that could be fraud.
If a charity overdresses its capabilities in tenders for contracts, that could also be fraud as well. But I think one of the most important points I’d make is that I think we need to avoid assumptions when we’re thinking about severity of a fraud, so there’s a big temptation to see a fraud of only a few dollars as a small fraud.
But the reality is actually that could be quite a big deal if the person committing it is in a position of authority or enjoys financial delegations because that effectively means that the individual has shown dishonesty and that puts everything else they have control over at risk.
Whilst that might sound harsh, remember we’re not talking about honest mistakes here, we’re not talking about good faith errors, we are talking about an intent to deceive, and that’s serious.
Yeah, definitely. I think both of the responses to this question here, you've touched on these elements on the screen and dishonesty being one of the underpinning elements of fraud, whether that be as James mentioned the criminal definition or the way in which we understand it colloquially.
We'll have a look at the kinds of fraud. You've both got vast experience in different areas and I'm sure anecdotally you would have seen so many different kinds of fraud, it manifested in different ways over the years. But we'll think about in the charity not for profit sector, and we'll attack this I think in two ways.
First, we'll have a look at the kinds of fraud that we've seen and is that similar to other fraud that may pop up in business or other sectors, and then secondly, we'll have a look at whether or not charities, in particular, are vulnerable or particularly susceptible to fraud.
So, first let’s have a look at the kinds of fraud. Ollie, I’ll go to you first this time. In your vast experience over the years, what kinds of fraud have you seen as being common amongst charities and the broader not-for-profit sector?
Look, I think that question that you raised about whether charities experience different frauds to other sectors is a really good one, because I think the reality is [inaudible] opportunist, so whenever you’ve got humans and things of value in the same place, and they’re going to reflect the kinds of business processes that you can have. So, if you [inaudible] things you’re at risk of procurement fraud. If you have payroll [inaudible] have expenses processes, you’re at risk of expenses fraud.
So, in reality, charities experience many of the same kinds of fraud as other organisations. And things I’ve seen kind of on an internal side include false invoicing, timesheet fraud, lies on CVs, as I’ve mentioned, abuse of assets like phones and vehicles. Making out checks to cash but then claiming on the stub it was through legitimate expenditure, and then taking the cash. I’ve seen that, that still happens.
Double dipping where you report say an output to different funding organisations. Externally suppliers double charging, delivery partners falsifying outputs and of course, remember people just straight up stealing assets and stocks.
Yeah, right. So, lots of different kinds there. Actually, you touched on a couple of good points being you mentioned the external and internal and I think it’s worth taking a moment to focus on this a little bit and James, I think you’ve got a couple of points to make here that fraud can happen amongst people involved in a charity, whether it be internally in the organisation or externally such as Ollie just mentioned, suppliers, contractors and that sort of thing.
Yeah, look, Ollie’s completely right and with fraud risk mitigation I guess there’s the classic distinction between external and internal.
So, I guess what we see from our work for an external, we see some cases where someone outside of the charity is misrepresenting themselves as a member to the public to get donations. I’d refer people to the ACCC’s website Scamwatch. There’s a charity section on there which talks about some of the ways that’s going on. It doesn’t cost charities resources but it is reputationally bad for the sector, and dishonest.
We also see external people attempt to defraud charities, so that might be a program the charity’s running where people are applying for grants or support that they're not entitled to. We saw that occur through bushfires for example with a lot of donations came in and unfortunately, some people made claims to charities for support when they weren't affected.
Internally yeah, definitely there and I guess I put this into two categories as well with an internal. We have so many charities set up to obtain money, but not intending to do the purpose for which they obtain, which they are promoting themselves.
That might be public donations or it might be government grants and there’s been a number of prosecutions over the last 12 to 18 months of people who set up charities that were completely fraudulent from the outset. You could also within a charity, people misusing their position to obtain a benefit and this is where Ollie was talking about procurement risk, so people directing charity contracts to providers from which they’re going to derive a benefit might be a kickback or it might be the company that they’re employing via the charity, so they make a profit at the back end coming out of the company or things like a misuse of the charity credit cards, other direct payments from the charity to themselves that they’re not entitled to. So, these are the things that we do see unfortunately occur sometimes in the sector.
Yeah, right. I think what’s coming through in some of these examples is the uniqueness of a charity’s position in that they’re set up for a different purpose to say a classic business or other industries, which is a good way to get on to the second question I wanted to address in these kinds of fraud is that whether or not charities because of that unique position they hold they are particularly susceptible to fraud or have particular vulnerabilities to fraud, or particular kinds of fraud.
There may be a mixed answer here, I’m sure there are a bunch of elements we can get into. I’ll go to you first, Ollie, what’s your view of a charity’s position in relation to fraud? Is there any particular susceptibility or vulnerability?
Look, I think you do occasionally hear people who think that the charity sectors are more vulnerable to fraud than other sectors. I'm actually not sure how helpful it is to think of the charity sector as more susceptible to fraud than any other given sector.
I think the reality is that any organisation in any sector, any organisation's resilience to fraud depends on how well it has evaluated its risks, put in place things to control them.
So, for me, the real question is not whether the charities have more fraud than other sectors, but whether they recognise the risk and respond to it as effectively as other sectors do. There's definitely scope for improvement there.
That said though, I think charities do share a common fraud enablers of many sectors but there are a few common things that we often see that are part of charity’s unique risk profile. So, one of those is cultures of trust and trust is important of course, but it needs to not be at the expense of vigilance, we need to find ways to hold that trust and hold that vigilance together intention.
Hierarchies of values as well where we might not want to deal properly with a fraud issue because worried about reputation impact or we might not want to invest in the procedures and the systems that prevent fraud because they’re seen as less important than budget lines that might more instinctively feel that they relate to delivery, even though these things are about delivering safely.
In particular, a race to the bottom on admin and overhead that reduces appetite for activities that are really important for controlling risks like finance, procurement systems, HR, IT. Charities I think can be susceptible to that risk if their honourable operational ambition outstripping the resources they’ve got to do it safely and that creates gaps that the fraudsters can jump into.
There is I think a myth that larger charities are less susceptible to fraud than smaller charities because they have the systems. I actually don't think that stacks up when you unpack it because larger charities have more transactions and more funds. So, actually, the scope for fraud is larger.
The one thing I think that determines whether a charity is more at risk than another is that point that I made just at the outset, how well have you assessed your risks and put in place effective and proportionate counter measures, and you can do that whether you're the smallest food bank in Sydney or Australia's largest and most celebrated international NGO.
Yeah, right. They’re really good points and I think that fundamentally gets that, it’s not the sector as some homogenous lump, there are so many variables within the sector and it’s about assessing risk.
James, what are your views on this? Do you think that there are particular susceptibilities and vulnerabilities within the charity sector, he says having just said to not look at the sector as a homogenous lump. But what’s your take on this?
Yeah, I think what Ollie said is right. I hear arguments of we’re less susceptible because people are passionate about what they’re doing and they hear arguments that we’re more susceptible because we don’t have the resources and the skills and we don’t commit to fraud prevention.
I’ve not seen anything where it’s measure, whether it's more or less. I harp back to yeah, it's opportunity. There's money there and there's people involved, unfortunately. It's about your protections. I've got two more points.
One is we had a look at some of the bushfire charities in a report late 2020, one of which was a large multinational used to dealing with hundreds of millions of dollars, if not more every year, and they were targeted in some instances in fraudulent claims, and we were able to identify it.
We were also dealing with a charity went from relatively small to all of a sudden having tens of millions of dollars, and the need to change their governance and structures to protect against fraud was really there. So, you can see this shift between having frameworks and suddenly needing frameworks that maybe you don’t have.
Then I think the one item, and I have spoken to Ollie about this that we’ve talked about is what we talk about as a founder’s syndrome or where there’s an individual or a couple of individuals who are central to that charity and have been, usually been there all along but largely controlled decision making and it’s something where that person’s so trusted and is the heart of that organisation that their actions aren’t necessarily governed or looked over as strongly as they could be and that opens up a risk that’s probably might be in the sector more than others. Like, that’s purely it all.
Yeah, right. It’s a good point. It’s a good one to recognise too, because I think that founder’s syndrome as it’s known, is one that I think many people may recognise, particularly if a small charity grows and becomes larger, gets more supporters and money over the years.
It's one that, as you both mention, the right policies and procedures in place would help to mitigate against any bad turns that the charity may take under the founder's syndrome. Just before we move on to the -
Oh, yeah, go ahead, James.
It comes back to Ollie’s point, it’s about recognising that this is something that’s there, that the circumstances might have changed, and now it’s to put in these processes to identify and mitigate those risks.
Just before, there was something that you both mentioned. Actually, Ollie, you mentioned it first and just before we move on to the third part about some of the practical tips preventing and mitigating fraud, I did want to touch on one thing that you mentioned, Ollie which was you called it the race to the bottom and this idea that charities are under such pressure to use their limited funds for as many people will have heard in this discourse for the cause, I use air quotes there, that there's a sense that putting money towards other things such as fraud mitigation and systems and procedures would be unnecessary or even wrongly diverting funds needed for the cause of the charity.
That's a myth that I think needs to be busted I suppose in the charity sector because putting funds towards these sorts of things is important in that it helps the charity ultimately pursue its charitable purpose without having to worry about the knock-on effects of serious things such as fraud.
Yeah, I completely agree, Matt and I think clearly there is another end of the spectrum where there are charities that are spending way too much on that sort of thing and that’s a governance and stewardship issue.
But the reality is I have seen that far less than I have seen charities under pressure from the public and from donors and from the kind of expectations we set ourselves to minimise the business support costs that we really need to do our work safely. I think it’s important to remember as well that a lot of work the charities do is actually quite technical and can be quite specialist. It needs these supports around it to make sure that it’s being done safely.
And James, of course as from the regulator's perspective, spending on these sorts of things is not only is it not breaking the rules, within reason, of course, the details matter, but it's actually encouraged to ensure good governance.
Yeah, absolutely. So, it can be a return investment question and you put in for a prevention, you prevent loss, you maintain reputation. Our expectations or the way that we would regulate this would be for charities to be run well, is my short version, and what the sport of fraud prevent mechanisms you might have, they’re going to depend on are you small, are you large, and also what are you doing?
Like, are you giving out direct cash to people who apply for support? Now, that’s a higher risk venture, we would probably expect a higher level of protection built into your governance and your processes.
Okay. Let’s move on to I suppose we’ll call it the practical section of the webinar today, the discussion which is the prevention and mitigation strategies of course. We’ll move on to managing fraud too, so we accept that some things may pop up and then charity will need to know what to do in case they do come across it.
So, how can we prevent fraud? How can we set up strategies to mitigate it? James, I’ll go to you first. Are there any particularly good maybe not the silver bullet or the panacea to solve everything, but particularly good steps that a charity can take or should take to be able to prevent and mitigate fraud?
Sure. Look, it starts with having good policies and procedures that address where you're at. So, that's this size question. It's also an activity question and where is your money going and how are you controlling that. Now look, some of that it's a little bit horses for courses, unfortunately.
What we do is there’s a bunch of guidance on our website, some sort of stuff around fraud prevention. There’s the Governance Toolkit which can give people a heads up. We’ve also put out some small – there’s a Small Charity Library on there that’s a place to go for starting policies if you’re small.
If you’re large, there is massive amounts of research across all sectors around fraud prevention and most of them are going to be relevant.
There’s things around having clear authorisations of expenditure, double sign-off on certain expenditures, copies of invoices and specific locations. If you're really big you can get into data analytics around your expenditures and your payrolls.
You've got board up to date with accurate reporting. Keep control of your charity credit cards. We’ve got them how they spend. Go back and audit them. It’s surprising how often you will find private purchases showing up on credit cards and they're really easy to detect.
Think about your procurement and your decision-making. Who's making the decisions on where that – when it's often a really substantial amount of expenditure going.
I think the second part to policies and procedures is that they’re live, they’re not just something that sits on a corporate intranet or in a folder on a shelf. People actually have to understand and implement them and sometimes that therefore requires spot auditing that they’re actually being done properly. That’s a really effective mechanism.
Again, it’s getting more costly to choose your weapon, depending on where you’re at. I’d also pick up some of the questions coming into this webinar was a lot of what can small charities do. So, I think there’s guides on our website but I'd say there's two things, there's a low-hanging fruit around asking yourself a couple of questions. One is, is there a conflict of interest here, and are two people going to look at this expense, whether it's on the way through or afterwards, pretty cheap to do.
Then the other thing, the small charities just to be aware of your growth. As you become bigger, as you bring in more assets under your – or resources under your control, be thinking are our current processes still appropriate. Do we need something more, do we need some more skills that we don't have.
Ollie, have you got anything to add to that? I know James has covered quite a bit of territory there, but in your experience in this area what would you say are the strategies that the charity can put in place for preventing and mitigating fraud?
I think James is bang on and I would echo that really strongly, that point about procedures being really important. Not only do they set out the best way to avoid a risk, but if you've got them it makes it much easier to identify variants.
You can't know what wrong looks like if you don't have a right. I think as well, having policies and procedures is the first thing, but the second is making sure that they're appreciated and followed.
Charities are very action-oriented, they're very innovative, they're very outcome focused. So, sometimes procedures can be seen as bureaucratic red tape including those that control fraud.
So, one of the things that I think we need to do in the sector is think about how we frame compliance with procedures in charities. Some messaging that I found to work really well is following procedures as about teamwork.
So, number one, following procedures allows others to understand what you're doing and how you're doing it, other teams' work depends on whether you follow procedures.
And number two, procedures are not about policing you, they’re about you working together to make it easier to spot others who might take advantage of your charity.
Thirdly and finally, procedures are not the only way that we tackle fraud. It’s not just about following them, it is a really important part of the picture though.
But I would also lead me on to a quick mention of culture. It wouldn’t be a webinar on fraud if we didn’t talk about culture. We need in the charity sector to create cultures where it’s okay to raise concerns and challenge things.
I think this links back a little bit to the point you raised James about founder’s syndrome. It can be a problem in a charity of really any size, but you can often guess whether you’ve got the right culture long before anybody encounters something that they need to report.
How are your people behaving in meetings? Does everybody contribute? How egalitarian is your workforce or volunteer group or are you dominated by a small number of powerful voices? Do you have accountability bottlenecks? Are there particular individuals who could stop or block concerns before they get to the right place?
I think a couple of points you touched on there, and culture I think brings it to life, is the idea that procedures being there not to police the staff and not to be overly bureaucratic or be a hurdle to getting things done, because as you mentioned, many people in charities are action-orientated and just want to get stuff done.
It may be worth questioning the procedure if it does feel like it’s overly bureaucratic or if it’s too hard to follow, then that may be a warning sign that you might need to review that procedure. It’s not the procedure itself, the concept of a procedure is wrong or inherently bad in preventing you from getting stuff done, it’s that it may need to be reviewed, it may need to be updated because it could have been written six years ago and be no good anymore. So, this idea that cultures in an organisation will question the organisation and lead to improvements and review is a really important aspect.
It’s an excellent point, Matt and I think one of the challenges that charities can often experience with procedures is that they are either too bureaucratic on the one hand and suffer from low compliance because they’re too difficult to comply with and perhaps are actually disrupting the charitable purpose, or they’re too loose or not followed on the other.
Of course, the key to making sure that your procedures are effective and proportionate is having a risk assessment and that’s a good risk assessment template finance abuse in the Governance Toolkit. There is a challenge I think around the way that we do think about risk, whether it’s the charity sector or not, we’re not good at understanding risk and we’ve seen that problem in particular over the last 18 months with the pandemic. That kind of makes sense.
Our brains are evolved to make very simple decisions based on the likelihood of whether there are juicy berries in the forest over there or bears with pointy teeth. Anything more nuanced is a challenge, but that’s fraud.
Fraud is constantly trying to hide from you. That’s in its DNA. So, starting with a risk assessment and doing it in a really consultative and collaborative way, and gathering as many perspectives as you can from across your charity as you decide what the right kind of policies and controls are for you, is absolutely critical.
Yeah, I’ll just add in there, I think those procedures that we’ve largely been talking around are expenditure and procurement processes and you don’t want them to be inhibitive onerous.
There’s also a set of procedures around whistleblowing. So, if you think someone’s done the wrong thing and even if it’s a senior person, do you know what to do, what is our organisation going to do? So, that’s another set of procedures or policies that can just sit there in the background and be used when needed. So, it’s not onerous, not in your everyday business, but it gives you a confidence about what to do if something’s a little bit stinky.
Yeah, right. Absolutely. All right, we’ll move on to some – actually, just before we get to warning signs, I think people will be interested in the warning signs aspect of it. This final dot point here on the screen if people are looking at the slide, you'll see we've got oversight there.
James, I just want to touch on this one with you briefly. The importance of oversight at the board level. In much of the ACNCs resources, we refer to the board as Responsible People, a legislative definition of what a responsible entity is. But oversight of the board is really important too, of course, it’s striking a fine balance. You don’t want every single operational decision to have to go to a board meeting to be approved. But at the same time, the board shouldn’t be kept in the dark from many of the operational stuff that allows the charity to do what it’s set up to do.
Yes. Look, and again I’m going to say it changes with scale, but fundamentally what you want the board to have is enough and the right information to know what’s going on at charity and ask questions. So, in context of fraud, a lot of this is going to be financial reporting, like that's clear and then to actually show where the money’s going, you might have policies within charity that talk about expenses over a certain amount, or procurements over a certain amount need to be either approved or reported to the board. So, before or after the fact. But the fundamental question is enough information for them to know what’s going on and that's got to vary.
Yeah, for sure, and getting it to them too. So, it may be that a regular standing item on the board’s agenda is some aspect of oversight of operational, which I assume many charities would be doing anyway. But making sure that step is appropriate for the size and the activities of the charity involved.
It is. And we think so. I’m thinking about some charities that its function is to give out grants, for example. Those grants are then, what’s done in the month, or the quarter, are reported to the board and saying, “Hey, this is the money we’ve given, this is why we did it. Here’s the people who signed off on this.” We’ve declared that there's no conflict of interests in that decision, to me that's where boards [inaudible]. And at a large, at a high procurements risk charity, that's the sort of detail the board needs to know, that when the money’s going out of the charity, it’s going out appropriately.
Okay, let’s move on to some warning signs. Ollie, you get first crack at this one. So, what are some of the indicators that there may be some wrongdoing afoot in a charity?
And of course, we're not trying to give a list of conclusive proof or fraud, but things that may indicate something's not quite right. What are some of the things that you would suggest people involved in charities, whether they be small or large, look out for?
Look, I think most people these days would recognise the most common examples to red flags, expense claims that look doctored or multiple authorisations just below someone’s authorisation level or the finance manager driving around in a new Maserati, that kind of thing.
There are those lists online by the way, you can search for lists of red flags online if that's something that you want to get into. They’re massive, because they’re very contextual and very dependent on the circumstances. But I think there are some more subtle warning signs to look out for, which suggest that your overall risk is higher in your organisation.
Some of those things would be, are there supplier relationships that certain people in your charity guard quite tightly? Are there managers or leaders who are commonly authorising procedure overrides? Are there systems that are clearly vulnerable to fraud, but no one seems to do anything about them, they just trundle along.
And this reaches back I think to something you mentioned earlier as well, Matt, do you think that it’s impossible that fraud could happen to your charity or that your people are less likely to commit fraud because they are committed to your mission, which is a myth. These are enabling factors that I've seen before in environments that were really at risk of charity fraud.
Yeah, right, that's a really good point that last one, because I think we all think that. The people that we know, the people that we work with are the good people and of course, fraud couldn’t infiltrate our organisation.
I think that's a common one that, look, we’re not trying to encourage rampant cynicism and almost paranoia of your workplace, if you’re in a charity. But of course, it’s just recognising the reality that the warnings signs may point to risks, if not wrongdoing. Even if you believe your organisation is pretty safe from such things.
James, what can you add to the warning signs here?
Sure. I guess probably the biggest thing we look into is this aspect of private benefit. People getting private benefit from their work, with a charity it's something that's come up in 60 of the 100 investigations that we've done. That means look at it, it doesn't mean we found it to be a problem, but it means we looked at it, it was something that we felt was worthwhile looking into. I guess it arises largely in two key ways.
The first one is procurement. Procurement from companies related to the decision makers. So, if you want to talk about warning flags, do you know that the company you're buying from is owned by the person making the decision, or the wife of the person making the decision. If you do know that, have you actually gone through a conflict of interest decision making – a conflict of interest assessment in that decision making.
Because it’s not naturally – it’s not necessarily bad. Often people will get market or below market rates from these related companies. What we’re looking to see is that the decision was made in the interest of the charity and not the individual. Who will derive an element of financial remuneration?
I guess the other side of it is direct benefit – and I keep coming back to misuse of charity credit cards or payment of bills for people, cars, accommodation, that sort of thing. Travel, international travel when we could, was another one. So, if your charity has credit cards, pays for travel, pays for other expenses, you can audit those. Particularly credits cards, they’re really easy. Or you can make sure that the approval of the other expenses are done by someone else. People shouldn’t be approving their own expenses.
Yeah, definitely. I think the point you made about a conflict of interest is a really important one. So, if you've got a really strong conflict of interest policy and procedure, and this comes back to something you both said earlier, if the organisation knows about the culture of the organisation is that a conflict of interest is dealt with in a confident way, thoroughly, then that can mitigate against many of these potential avenues for fraud.
Let’s have a look at managing fraud before we get into some questions from today’s audience. So, sometimes things are going to slip through the net and organisations will come to a stage where they have to manage something that has happened or it’s in the process of unfolding.
So, what to do when you do come across instances of fraud, and again I understand that this will be largely dependent on the context as we mentioned at the very beginning. There's this small-scale fraud right up to massive, large-scale criminal fraud. So, James, I think we’ll go to you first and then Ollie’s got a few things to add. But what should an organisation do when they do come across an instance of fraud, whether that be the small-scale stuff or even right up to the larger criminal stuff?
Sure, look, if you become aware of an issue or an incident, in most cases, there's going to be some reporting obligations. Some of that is to us either formally or informally. We do get contacted by charities where issues have arisen, and we welcome that. That sort of pro-active declaration usually with and this is what we're doing to fix it isn't likely to get you into trouble with the ACNC, because you are identifying it to us.
There may be other reporting requirements if it's highly significant, then it's likely to involve your state’s police force for example, or the AFP. If it’s overseas we’ve got a different set of questions, there.
I would say identify your regulatory obligations in that instance and report as required. The next thing is fix it. You might not be able to get the money back or the resource back, but if you can rectify the problem and that might be people or processes, whatever that is.
I point to a case in our Annual Report from a few years ago where a charity had been defrauded by an employee. They went out, they fixed it, they were willing to go public and say that this incident happened and that's a reputational matter aspect to it as well.
Yeah, right. Ollie, what can you add to this part of the discussion, how can a charity manage fraud if they do come across an instance of it?
Well, fully agree with everything James has said, of course, and in particular, if a charity's following the ACNC Governance Toolkit, then it should have some kind of response plan to follow and that's really important because it's going to be a stressful and risky event. You don't want to be making it up as you go along. You want to have done that preparatory work so that everybody knows what they need to do at the right time, if it happens.
I think as well, when you do take action within that response plan it’s important to remember that you’re not just managing the risks of the incident itself, also the risks that you create by the actions that you take to respond to it. So, you have to get the right technical advice. I mean, that might come from lawyers, HR professionals, forensic accountants, risk and compliance professionals.
I would also say as well, be careful about letting the value of the fraud decide how much you need to do about the incident. As I mentioned earlier, a small value fraud is not necessarily a small risk issue. So, look at what it shows you. Does it show you that you've got to key person who may have been dishonest? Has it exposed a gap in your procurement processes or payroll practices or expenses procedures that could be abused to much a greater extent?
I think my key point here and this I think is really important because I don’t hear this enough. My most important message is that finding fraud is a good news story. We need to challenge narratives that detecting of fraud automatically means that the charity is weak or corrupt.
Actually, fraud is a common business risk for all organisations, [inaudible] right thing, it probably means your charity is role modelling stewardship and transparency and accountability. It takes these things serious, and it’s got dedicated people who will do the right thing when they encounter something wrong.
Yeah, that's a really good point. I think probably a counterintuitive one for many people and I can see a link to the earlier point you made about the admin costs argument too. They pull on similar intuitions I think in that admin costs are bad, because it's diverting funds away from the cause. Whereas in reality, it’s supporting the cause, similarly here, being open and honest about having detected and managed fraud is bad, because it suggests the organisation is weak or corrupt as you mentioned.
But counterintuitively, it's not actually, it shows that they've got a strong governance underpinning the operations of the organisation and it's able to deal with fraud confidently, manage it and then come through it and talk about it openly.
Yeah, absolutely and it reaches back I think to a point that James about whistleblowing. So, very often when a charity launches a new whistleblowing system, whether that's a hotline or a policy or some awareness, detections go up. People raise concerns about things. And we might misinterpret this, the rise in fraud or issues. But what’s really going on is that people are more aware, and they feel more confident, and the charities take the issue more seriously.
Yeah, definitely. Okay, that brings us to question time. So, that's the formal discussion for today. We have had quite a lot of questions come through and I’m sure James and Ollie you’re both eager to face them and provide some useful answers. I’ll get at a couple of the more common ones.
I’ll start with one about working from home, actually. So, there's been a couple of questions about how the expansion in work from home everywhere may have affected fraud risks and does this work from home revolution make charities more vulnerable to fraud, and I suppose the follow on from that is that, is there anything we can do to mitigate risks in working from home.
Ollie, I’ll go to you first, I suppose this touches on some digital security given that we’re all operating digitally on our computers from our kitchens.
Yeah, absolutely, I have a couple of thoughts about this question. We've definitely seen an uptick in phishing attempts, exploiting the distance between us. So, make sure that you have a culture where it’s okay to phone up someone to check that what’s been received is real.
I've seen a case where a CFO was impersonated in asking for a payment to be raised. Unfortunately, that CFO was part of a culture where it wasn’t okay to raise concerns and that's how that issue was able to occur.
The other thing I would say as well is beware confidentiality, we're seeing some risk around people having conversations on Zoom or what have you, without realising how much can be heard by neighbours or others. I'm next to my front door and I'm pretty confident that most of the people in this building can hear this. That's okay, because it's public. Just need to have that awareness when we're talking about confidential charity issues, especially issues relating to financial matters and so on and so forth.
Another thing as well is remember that when we’re all working together in one place, there are a load of informal checks and balances on behaviour that you get when people share that space. So, it’s useful to think about how you’re going to replicate that, if we’re all spread out. How are you going to preserve that sense of tribe, how are you going to replace that informal oversight with formal checks.
That said, be really cautious about what you do to respond to the perceived risk of greater scope for timesheet fraud when people are working from home. I am seeing some organisations in some countries using platforms to monitor employee activity at a very granular level. That might be okay for them, it might be okay for their situation, but I would warn that if you’re tempted to do that, think really carefully about the risk that you could actually elevate fraud risk, through making your employees and your volunteers resentful and disempowered. Be really cautious about that.
Yeah, good points. James, have you got any thoughts about the work-from-home aspect of today's working world and how that affects risk of fraud?
Not on this one. I’m happy to leave it with Ollie’s answer.
Yeah, he covered it quite well. But I will come to you for the next question, which I wanted to ask, because it’s come through a bit. It’s somewhat related, and given the ACNC’s experience in some reviews with charities following the bushfires, I think this is pertinent.
So, a couple of questions about fundraising and online fraud, and how best to receive donations and is cash more vulnerable to fraud, for example, say street collectors or collectors at large events. And how about online platforms, is it okay to use online platforms to receive donations?
I know there was a lot of online fundraising during the bushfires of January 2020 and Facebook giving for example, and GoFundMe campaigns and that sort of thing. Any thoughts on this about fundraising online and online fraud with donations?
Sure. So, look, online fundraising is here to stay, it’s not changing, and I think it’s generally a good thing, because it does facilitate that activity. I think where we wanted to be targeted is using reputable platforms to do so. So, whether it’s PayPal giving, or Facebook or some other reputable platform that a charity’s taken, I don't see that as being an escalated sort of risk.
I mean, what we saw through the bushfire it's actually too much money coming in, in a lot of cases. But that's not a fraud risk sort of problem. I would say that an electronic transfer coming in is always going to be safer than cash in the sense that it's bank to bank and there's a record there. I wouldn't discourage against cash raising in whatever form that is, because it is a long term and a valuable way of getting funds into the sector.
Charities do need to – it is probably more at risk of essentially theft at the point of collection. But that's where the charities I guess, processes and people and culture really comes in to provide a degree of protection against it, of protection of that collection.
Ollie, any thoughts on online fundraising and its susceptibility to fraud?
Like, I mean agree with everything James has said, I think the key is the charities that are looking to use those means need to understand how it works and therefore evaluate the risks. And similarly, to what you've said on cash James, look the priority for all charities is to make it as easy as possible to gain donations in whatever form they come in.
With cash though, there is a long history in the sector of abusing it and of collecting donations that way, and a load of really good practice out there from perhaps some of the more mature charities that have been doing it for a long time. If anyone is concerned about the way that they're receiving cash donations and how to better protect those, it’s a great idea to leverage the charity community at large where there's some really great practice.
So, just turning back to the online stuff for one minute, and this is probably like an ACCC Scamwatch aspect to it, is people misrepresenting themselves as being the charity online and collecting into their private bank account. Now, there's not a lot that a charity can do about that because it is private individual engaging in fraud.
But where they can take action where they become aware of that, whether it’s through environment scanning or members of the public raising it with them, saying, “Hey, is this you, what’s going on here?” The charity can have a look into it. Raise it with authorities the ACCC and try and shut that fraud down. Then authorities can try and shut that fraud down. It’s not the charity doing it, but then can help by referring information to the right agencies.
Yeah, right. Then the mechanisms set up by those agencies can crank along and do what they’re supposed to do I suppose.
Another question, actually this one’s a completely different topic, I suppose. It’s about work overseas, so there's been a few questions about preventing and mitigating fraud overseas. Well, first on a practical level how best to do this and are there any tips or special considerations for operating in other jurisdictions, and I suppose what’s linked to that is obligations, whether it be regulatory bodies or under anti-money laundering legislation, that sort of thing if you are working overseas. Ollie, I’ll go to you first on this one.
I won’t talk about the External Conduct Standards, I’ll leave that to the expert, James. But what I would say on this is there's no silver bullet to this question, right. Working overseas has a really special risk profile, there's a lot to take into account and particularly if that's going to be in countries where the overall fraud and corruption risks levels are much higher.
So, if that's what you’re doing, you need to take a holistic approach to making sure you've got the right framework in place to preventing, detecting and then responding to these issues. Matt, if you’ll forgive an outrageous plug, I have two books that may help you. This one will help international charities working in those circumstances and coming out next month is this one around terrorist diversion and how you can manage the risk of your resources falling into the hands of sanctioned entities.
We will forgive the outrageous plug there. Great books no doubt. I haven’t had a chance to read them yet, Ollie, but I’m sure people that do read them will find lots of gems in there for practical tips for their own organisation. Sorry, what the title of the second one, the one coming out next month?
Sorry, that’s ‘Terrorist Diversion: a Guide to Prevention and Detection for NGOs’. A catchy little title.
Right, yes. I suppose mostly relevant for organisations that do have work in areas more susceptible to identified terrorism, right?
Yes, but those areas are wider than a lot of people think. So, it's also about working in places where sanctioned entities are fundraising. So, I think everybody would for example recognise Somalia as a country of risk, but actually, countries on the border with Somalia are places where al-Shabaab is known to fundraise. So actually, the risk lives in places like Kenya as well.
Similarly, there are also forgotten risks and forgotten issues around the world. People wouldn't realise for example their kinds of risks also exist in places like the Philippines rather than the places that we more readily associate with these risks.
Yeah right, good point. I suppose that's something that does slip the mind of lots of people because the names of these countries you don’t automatically associate with that sort of risk, but it’s important to know the relation.
James, Ollie did mention External Conduct Standards. There is one that does touch on fraud and corruption specifically. Is there anything that people in charities with operations overseas should think about for mitigating fraud?
Sure. Look, there's one that goes to fraud, there's another one requiring reporting from a third party that you engage with. And there’s been a lot of what we say, noting this is quite new legislation, it’s only really been an issue for the last couple of years. A vast majority of the Australian entities engage a third party overseas. So, a charity that's operating over there. So, there's a relationship as opposed to direct delivery in a lot of cases, particularly around smaller and medium rather than your large international charities.
For those smaller and mediums, I guess it's probably two things you want to be doing. One is to make sure you know who you're working with and that's something you need to establish before the engagement and continue to monitor throughout the engagement as best you can.
I think the second part is if you're sending money, do it through reputable channels. So, bank to bank transfers, Western Union, whatever, not endorsing a particular product.
But also, the other thing that we see sometimes is money going from the charity to an individual overseas and I think we would prefer that money went from the charity to an organisation overseas. Because that organisation is going to have more people looking at what’s happening and there's usually a greater capacity to review and audit. So, from a couple of practical aspects, send it electronically and send it to an organisation. You’re probably in a strong sort of point.
Yeah, good practical pieces of advice there. Of course, there may be difficulties in doing such things, but it’s worth taking the time to think through those processes and make sure you've got the right ones in place to go as far as you can to mitigate these sorts of instances of fraud or at least the potential for fraud.
Yeah, absolutely. Especially if there's a large amount of the work isn't necessarily post-conflict. It isn't necessarily to terrorism risk countries, so in those more stable sort of environments, it's a lot easier and we understand that for charities to set up these processes.
Okay, I think we’ve hit the one o’clock mark, and that brings us to the end of our time today. Before we do finish up, I’ll give you both the floor to make any final comments or suggestions or advice or anything you’d like, a bit of freestyle here for you, if you want to take the opportunity to talk to the audience. Ollie, anything you’d like to pass one to the audience before we finish up today?
Just to finish on a really positive note, that when I first entered the charity sector more than a decade ago, this was not a risk or an issue that people were really talking about. It was a very low degree of awareness, but here we are today, and it’s much more readily known, it’s much more readily understood. A lot of charities are doing really awesome work to tackle their risks. So, we’ve come a long way already, and there's still some distance to travel.
Yeah great. James?
Sure. There's a lot of guidance available to charities through our website, probably a good first point of contact. You’ll find that a lot of the work that's been done around fraud prevention in other fields and other areas as well is actually applicable. We’re organisations, that you can draw rules across there, and of course, there's Ollie's books as well.
Yes, of course. And it's a good point about other organisations. Don't necessarily think of the charity sector as being in the unique position whereby nothing from other industries or areas can help. Of course, there are lessons and underlying principles that can be applied to charities as much as they work for other organisations.
Okay. Well, that does bring us to the end of today's webinar, and I know that we didn't quite get to all the questions and of course, we weren't able to address them live with Ollie and James. I do apologise for that, there was quite a lot of questions coming through. So, we will endeavour to get back to you all via email, we’re not going to leave any questions hanging. So, we apologise for not being able to address them now, but we will get to them in writing.
Just before you do leave a couple of things that you can check out if you want to stay in touch with these issues we discussed today and the stuff with the charity sector and the ACNC more broadly. There's lots of web guidance touching specifically on these issues on the website, you can have a look at that. The charitable purpose is an e-monthly newsletter that goes out to all subscribers. You can subscribe to that on our home page. More webinars, podcasts about various topics on our website and if you've got any questions about your charity just in general go to firstname.lastname@example.org. We’re pretty active on those social media channels down there.
We have recorded today’s session and we will put this on the website for viewing later as well as our YouTube channel and we’ll send out a follow-up email that contains lots of links to all the resources we mentioned today as well as a copy of the slides as useful as they may have been for you and a link to the video so you can watch it at a later date.
Finally, if you have any questions, comments or feedback about the webinars, in particular, email@example.com is the address to address those. As we finish this, I think there'll be a short survey that pops up at the end. So, if you're inclined to give immediate feedback in a survey that takes probably less than 20 seconds to complete because there are only I think two questions, maybe three questions from memory. If you can take the 20 or 30 seconds to fill that in, we'd really appreciate it. We do get a lot out of the feedback in that post-webinar survey.
So, thank you very much for your attendance everyone today, we really appreciate it. It was well attended, and we hope you got a lot out of it. Thank you very much, James, for giving us your insights and knowledge on this topic from your vast experience.
There he is. And, Ollie, thank you very much for helping the ACNC out with this webinar on fraud given your expertise in the area, we really greatly appreciate you being able to impart your knowledge and expertise for the audience.
My absolute pleasure, thanks very much for the opportunity.
Okay, everyone, it's now one o'clock, well Melbourne time it's one o'clock, I'm sure if you're watching from a different jurisdiction, you've got a different time. But nonetheless, it is time to wind up the webinar and we’ll see you next webinar which is likely to be in the new year. So, thanks very much for your attendance today.