October 17-21 is Charity Fraud Awareness Week, and our webinar looked at fraud threats that charities may face, and provided plenty of guidance on the ways charities can protect themselves against fraud.

Webinar transcript

Louis Hine
Hi everybody. Welcome to today’s webinar. Today we’re going to have a look at what you can do to protect your charity from fraud. My name is Louis; I’m from the ACNC’s education area, and joining me today is Ian and Serena, who are in the compliance area for ACNC. How are you both doing? Good to have you here.

Serena Trezise
Hi Louis. Thanks for having us.

Ian Parry
Thanks, Louis. Hello everyone.

Louis Hine
Firstly, we’d just like to acknowledge the Traditional Custodians of country throughout Australia, and their connections to the land, sea and community. We pay our respects to them and their cultures and elders, past, present and emerging. Today, this webinar is being present from Wurundjeri land.

So, just before we begin, I’ll cover off some housekeeping details here. If you have any issues with the webinar audio, you can try listening through your phone. You can just call the number listed in the email that you would have received when you signed up, and there’ll be an access code there and you can listen in that way. We’ve also got some colleagues today, that’s Catherine, Gabby and Georgie, who are going to be answering some questions in the background as they come through. So, feel free to type in a question or two in the GoToWebinar interface. They will be getting through those answers as we go, and we’ll try to answer as many as we can as it happens; but if we don’t, there will be a chance for you to send an email to us at education@acnc.gov.au and we’ll be able to respond to you after the webinar as well.

Just so you know, we are recording this webinar, and the slides and the recording are going to be available on our website at some stage in the next day or so. We’ll also send out an email to everyone who registered today, to give them a link to the recording and some of the other resources that we refer to today. We might mention some of those website links during today’s webinar, and if we do, we’ll just drop them in the chat as we go along, so you can see. And finally, we’d really like to grab some feedback, if you would like to provide it. There’s going to be a little survey after the proceedings today that will take probably about 20 seconds or so. If you want to go and answer a couple of those questions, we’d really appreciate that.

Just a bit of background on today’s webinar. You might already know, but it’s Charity Fraud Awareness Week, and we like to have a bit of discussion about it, raise that awareness every year, because it is a really important topic to be across. So, moving on here, what is on the agenda today? Today we’ve got, what is fraud and how can I recognise it? We’ll be talking about some of the techniques for preventing, mitigating and managing fraud, and we’ll also jump through some case studies, just to give a bit more of a practical overview of things when we get to it. All right, so first things first, what is fraud? Obviously, we all have a general idea of what it is, but if we’re being honest, most of us probably haven’t see it up close before, or had to deal with it. So it’s really important to know what to keep on the lookout for, and how to approach it when it does occur. So Ian, could you kick us off here and just give us a bit of an explanation of what fraud really is?

Ian Parry
Yes, no problem. Thanks, Louis. Fraud is the act of deliberately and deceitfully gaining an advantage at the expense of a person or organisation. It can come in many forms and have different degrees of impact, but regardless of the scale, any instance of fraud should be taken seriously. When we’re looking at the types of fraud out there, we can generally put them into two categories: internal and external fraud. The difference here is whether the fraud’s originated from within your organisation or from the outside.

Looking at internal fraud first, as I just mentioned, it’s fraudulent behaviour from somebody inside your organisation. Depending on the type of charity, this can include stealing cash or stock, or not charging people close to them for services, such as friends or family. It might also be someone who’s in charge of a certain area, especially when it comes to money. Incorrectly reporting information, or omitting details to provide a person a benefit is also another example. And these are just examples. Fraudsters can be creative, and it’s important to consider the situation that could potentially arise in your organisation. Another part of internal fraud is that it may not be enacted solely for the benefit of a particular person currently in your organisation. They may be seeking to help a person close to them by wrongly using their position.

Louis Hine
That’s right. On the next slide here, we’ll just have a look also at external fraud, for a bit of an overview. This is fraud that comes from outside your organisation. This could be from suppliers of goods, owners of the facilities, or even just a totally random person with no links to your organisation whatsoever. So, what does this look like, basically? Maybe you requested goods or services from a vendor to help you run things. You agree to a certain cost and quality, but they come back with sub-par services that don’t match up with what you expected. Or maybe your charity gives grants to those affected by natural disasters, and an opportunist or two decide to apply for your funding, despite not being affected at all. All these things are counted as external fraud.

But another aspect to this is scams, or even cyber threats. Those are a big deal in a world where things are more and more done online or electronically. So, for the sake of this format we have, we’ll also include cyber threats as an external element, because really, most of the time this happens, it’s when a hacker out there tries to get access to your charity’s information or assets electronically.

Ian Parry
That’s right, and it’s a really topical issue at the moment, and it’s important for charities to be aware of cybersecurity threats when they consider external fraud. It can be from an employee or volunteer losing a password that’s been written down, or losing a laptop or USB stick, for example, that has information relating to your organisation saved on it. It could also come from a person with no links to your organisation, who’s trying to access information saved on your IT system, or from someone infecting your IT system with a virus that stops you accessing your organisation’s information. So, what does this look like?

Maybe you notice unusual activity on your IT system; maybe an email is received from someone, saying they’re a representative of your bank, a supplier of services or another organisation you deal with, and they ask for your personal or sensitive information. Or they ask you to open an attached document. Maybe an employee receives an unexpected call from someone posing as a representative from an IT Help Desk, and they ask for an IT account information. It’s important to be aware of these risks.

Louis Hine
Okay, so now that we’ve covered the types of fraud that you might expect, that’s internal and external, including scams and that sort of thing, how can we prevent them, or at least mitigate their effects?

Ian Parry
Once you have an awareness of what fraud might look like in the first place, you can then keep an eye out for signs that something dodgy might be happening. For example, it can be worth raising questions when somebody tends to work long hours, or maybe they return to work after hours; or if they resist taking leave or won’t accept help with their duties. In other words, if they seem overly keen on working in certain areas alone, or without oversight.

Louis Hine
That’s really interesting how those little signs might indicate wrongdoing. So, Ian, what would be some of the key points preventing fraud internally? What can charities do to reduce those risks?

Ian Parry
There’s some pretty good ways you can work towards keeping your charity safe from fraud. If we look at the slide, there’s a list here that we can work through. In terms of money handling, have set procedures for dealing with money, with sign-off by multiple people; that’s important. Have limits on the petty cash available. Also, have strong supervision of employee conduct and acquittal of receipts, including where the charity has contracts with related parties. Regarding charity assets, keep a register of charity assets and review it routinely. That’s regular and random audits of all your organisation’s processes. Other things to consider: only allow employees and volunteers to access information they need for their roles. Strong HR management is important.

So that means pre-screening when people sign up as staff or volunteers. Ensure remuneration is equitable. Have job duties that separate responsibilities and implement good training. Explain the policies and procedures your charity has in place to all staff and volunteers, so they have a good understanding of it, and what the consequences are for non-compliance. Other things to consider: have internal grievance procedures; and finally, promote a culture of safety to speak up if something doesn’t look right.

Louis Hine
That’s great. Thanks, Ian. So now, with a few of these things in mind, we’re just going to jump into a case study here, to give a bit more of a practical overview of how you can assess potential fraud. I’ll be passing over to Serena in a sec. As we go through the case study, just try to make a mental note of things that you might question as they come up. So, take it away, Serena.

Serena Trezise
Thanks, Louis. In this scenario we have Maria, who is the CEO of A Helpful Charity Inc. The charity has decided it wants to build a new website so that more people know about its services, and to attract new staff and volunteers. So, Maria proposes to the board that it engages her husband’s IT company, Super Cyber Solutions, to design and maintain the new website. She assures the board that the company will deliver a premium product for a great rate, so there’s no need to obtain other quotes. Super Cyber Solutions submits monthly invoices to the charity. Work is billed at an hourly rate and the invoices indicate that at one point, Maria’s husband was working over 24 hours a day. Payment of the invoices is approved by Maria, as the CEO. So what do we think? Doesn’t sound exactly how you might expect a process like this to run.

Louis Hine
Not at all. It sound like A Helpful Charity Inc. has got itself a bit of a conflict of interest there, from what you’ve said. And for those who aren’t aware, a conflict of interest is just where someone a part of the organisation has a chance to get themselves or someone close to them a benefit by value of their position. So, Serena, could you just guide us through a bit of what A Helpful Charity Inc. should be doing about all this?

Serena Trezise
Definitely. Some of the things this charity really should be considering are having a conflict of interest register which records any potential or actual conflicts, as well as an appropriate policy for deciding how to manage any conflicts that do arise. The charity could also have a related party transactions policy so they know how to handle such a situation. Ideally, Maria shouldn’t have been able to approve the payment of her husband’s company’s invoices due to the conflict, and the board should have obtained quotes from other companies to assess that the cost was a fair market value.

Louis Hine
Fantastic. And you really hope he wasn’t working 24 hours a day. That’s a bit too much. But anyway, moving on to external fraud, as we said earlier, this is something that’s coming from outside your charity. So, if there’s a service you’re counting on from a third party, make sure you do your due diligence in researching testimonials and meeting with them to discuss precisely what’s required. You should make your expectations very clear, and ideally get it in writing. Also ensure you get their contact details correct, because that is one thing you don’t want to be without if you find things aren’t up to scratch. So, broadly speaking, you should make sure everything your charity does is agreed on by the board or committee, and you keep detailed records of what’s expected. Anything that occurs outside of this should raise a red flag. So Ian, what can charities do to prevent threats of fraud from outside their organisation?

Ian Parry
Thanks Louis. Some key points for preventing or mitigating external fraud, I’ll run through a list. Ensure appropriate training on what staff or volunteers should expect to see in their role, and the importance of raising any issues that arise. Ensure regular audits are completed on areas of the business, all areas of the business. Make sure you use passwords effectively, ensuring a unique password protects every device and IT system. And make sure you change passwords every three months or so. Securely back up important information on your organisation’s IT system and store this back-up off site. And finally, develop a plan for responding to cyber security threats and data breaches. You can refer to our governance toolkit on our ACNC website, especially on cybersecurity, to get you started. The actual link for the governance toolkit is acnc.gov.au/governancetoolkit.

Louis Hine
Perfect. Thanks for that. And again, with all that in mind, we’ll just run through another case study here, but for threats external to your charity. This one will have more of a cyber threat element to it though, just to keep it a bit interesting. Take it away, Serena.

Serena Trezise
Thanks, Louis. In this scenario, we have Stefan, and Stefan works for the Lost Pets Home Ltd. When the charity’s Accounts Manager was on leave, [Stefan] received an email which appeared to be from the CEO’s email address, and it asked him to urgently pay an invoice. Stefan thought nothing of it, and transferred the money. When the CEO returned from leave a few days later, however, she revealed that she did not send the email requesting this, and it soon became apparent that somebody had sent a phishing email to get a fraudulent payment out of the charity, and the charity’s money had been lost. Now, it’s important to quickly point out, just in case you aren’t aware, that the term phishing – and that’s P-H-I-S-H-I-N-G – is where an email appears as one thing, but it actually intends to deceitfully get information or money from its recipient.

If Stefan had known the risk of phishing emails, and to treat emails requesting money with caution, he may have noticed the email was suspicious. And while he realised his mistake within a few days, what if he hadn’t realised until after he received several more emails requesting payment? The charity could have been out of pocket by quite a bit.

Ian Parry
Thanks, Serena, a good example of cybersecurity threats. Another example of phishing is if someone that is pretending to be your bank and they email you saying there was a large payment made from your account, asking you to sign in to verify it. They may put a link in the email directing you to log into a page that looks very similar to your actual bank. It instead would be stealing your login details so the fraudster can just take your money. Definitely something to keep an eye out for.

Louis Hine
Yes. So there are a lot of clever ways scammers try to get money out of you these days, and we’ll see on screen here a few of the points that Stefan could have kept in mind when this occurred: to always critically assess emails that ask about money, or even login details can be another one. There should be a process in place limiting what any one person can send, or at least oversight prior. And the last point there, it might seem obvious, but it bears talking about. If you’re unsure whether an email or anything else your charity receives it legit, just ask around. The only thing better than assessing it yourself is getting one or two other opinions. So, on that topic, Serena, how could we spot email payment fraud?

Serena Trezise
Some of the things you might generally see in a scammer’s email are if the request claims to be urgent or confidential. You might be requested to ignore standard payment authorisation processes. The request could include grammatical and spelling errors. The type of request and the language and formatting might be unusual for the supposed sender. And if the ‘reply to’ email address is different from the sender’s address. It’s important for charities to ensure that staff members are trained to look out for obvious signs of phishing, and know where to report suspicious activity or emails to. If an email requests payment to a supplier or customer and their payment details have changed, always go back to them and just confirm those details yourself.

Louis Hine
Exactly. And that’s really great. And eventually, if you see enough emails like this, you can get a sixth sense for it. Moving on here, what if you’ve jumped through all the hoops in setting up policies and procedures we’ve talked about so far – so you’ve promoted a culture of speaking up and everything – and you do in fact uncover some fraud in your charity?

Ian Parry
Thanks, Louis. I think the first thing is, don’t panic. Make sure you assess it rationally and reasonably. If anything, the discovery itself is a sign that what you’ve done to stay vigilant has worked, and you now have the opportunity to address it. And you can take steps to improve processes further. While there are many ways you can approach the discovery of fraud in your charity, we thought we’d run through the basics of our governance toolkit, which is available on the ACNC website. Again, the actual address is acnc.gov.au/governancetoolkit. We have a template response plan and we’ll look at it from the governance toolkit. You can see that it can be found at the bottom of the cybersecurity page. It runs through five key things to focus on to get you back on track and keep things running how they should.

I’ll just run through the five steps there. The first is identify; number two is investigate; three is assess; four is notify; and the fifth stage is review. We’ll run through each of these in turn, just with a little bit more of a detailed explanation. Firstly, when somebody identifies a potential issue, they should know exactly who to bring that information to. You might have someone whose role includes managing data breaches or fraud. If not, that’s fine; the first person who discovers it might take it to their immediate supervisor. It’s a pretty good idea to have an assigned response coordinator to contain and centralise the approach a charity takes. Some of the key things you want to identify early on are the time and date of any suspected instances of fraud, people potentially involved, or who may have more insight and what the effect was. By this I mean, was money lost, or assets, and are there any potential risks to actual people? Again, these are examples, but the way your charity operates will greatly determine what you’ll want to focus on.

Let’s have a look at the second step there. The second step is to investigate. As the heading suggests here, the next big step is to properly investigate just how the incidence of fraud has occurred and the extent of its harm. At this point you’re really looking to get all the facts you can on the cause and effect, not just to the charity’s assets, but also to people.

Louis Hine
Perfect. And so, then moving on, when looking at assessing the fraud or breach, you’re just taking all the information you found in your investigation and deciding whether there was any loss, misuse or disclosure of information and assets. You need to understand whether there are any risks to individuals in any form, and what kind of action has already been taken to address that issue. Moving on to the next step, is notify. At this point you want to consider notifying not just any relevant regulators you might have, but also those affected by the issue. It’s really important to know, when it comes to the regulators, if there are any timeframes to notify them, or if it has to be on any kind of specific form or anything like that.

And the last point there is to review. This means diving into any current processes and applying your learnings to policy changes, ensuring a similar thing won’t happen again. Your review should include key information like how it occurred in the first place, what kinds of operational changes might be implemented going forward, and how staff training could be tailored. Now, we did touch on conflicts of interest earlier, but we have a little more here, just to close that chapter. So, Ian, could you help us through that?

Ian Parry
No problem. Yes, it’s an important issue. And I’d just start by saying transparency is a huge part of good governance. In the first case study we looked at, we touched on the CEO, whose husband got the contract for providing services to the charity. This could definitely be considered a conflict of interest, because even though she personally didn’t get the benefit of this arrangement herself – her partner did. To help manage risks of fraud, it’s essential to have a discussion on conflicts the people in the charity might have. A really good place to start is on the ACNC website; we have some information relating to conflicts of interest. So you could go to the website under acnc.gov.au/coi. COI, of course, is short for conflict of interest. Here you’ll find a rundown on what conflicts of interest are, a template policy for managing them, and a template register for disclosing conflicts of interest. This is just a document to properly list out the conflicts so you can refer to it when making decisions.

Louis Hine
Fantastic. Thanks for that, Ian. And now handballing right back to Serena. We’ve got one final case study just before we recap and wrap up.

Serena Trezise
Thanks Louis. In our final case study today, we have Danny. And Danny is the Finance Manager of A-Plus Charity Inc. And as Finance Manager, Danny manages all accounts held by the charity, most of which he was authorised to do on his own and without the need for a second signature. Staff at the charity first identified financial discrepancies when Danny was on leave. He’d not delegated any responsibility for the accounts in his absence. Further investigations found a number of instances of potential credit card fraud. It appeared Danny used the charity’s credit card for personal expenses, such as purchasing a Mercedes car and a massage chair. Staff approached a board member of the charity to express their concern.

The Director expressed surprise at the allegations, as they’d only ever seen consolidated financial figures at board meetings. So it’s pretty scary stuff. Some of the things we’re thinking about when we look at this case study, some of the issues it raises is that no one person should have full control or oversight of a charity’s finances, including payroll. Charities should also be aware of staff with financial responsibilities being reluctant to take leave or delegate responsibility. Staff should understand internal procedures and be able to report their concerns confidentially, and they should know who to tell if they see something suspicious. The charity’s board or committee of management should also be given sufficient information to understand the nature of the charity’s financial activities.

These are some of the core things a charity can have in place to ensure strong financial controls and to mitigate the risk of fraud happening. So in this case study, the charity’s board sought legal advice; they notified the ACNC of their concerns; they suspended Danny as Finance Manager; and they launched an internal investigation with the help of an external auditor. Because the charity was dealing with a criminal matter, they also notified the police. And after the board took this action, they also considered whether they should stop requesting public funds, at least until the charity’s financial position and solvency was decided. They also considered whether it was appropriate to communicate to members and staff about the investigation and the action that it was taking.

It’s really important to note that there is no one-size-fits-all approach, and the actions taken in response to discovering fraud may depend on advice from lawyers, the ACNC or the police. The charity in this case study worked with the ACNC to identify ways it could improve its financial controls. This included undertaking a risk assessment and reviewing all of its policies to ensure that they were fit for purpose.

Louis Hine
Thanks so much for that, Serena. That was a really good case study there. It’s just a good example of how to effectively manage such a worrying case of private benefit. It’s now time to start wrapping things up. We’ll just run through some of the key messages of the day. First up, we talked about what is fraud, in that it’s where a person sets out to gain advantage deliberately and deceitfully. And we outlined the difference between internal and external fraud. Number two, we touched on preventing internal fraud by having multiple people sign off on financial matters; having access to important things limited to the relevant roles; and ensuring equitable pay for work that people do. Moving into point number three, moving into external fraud, including scams. We talked about ensuring thorough training for staff involved, having regular audits and having a fraud response plan for when things do go wrong. And on that, the last point we made was just about managing fraud, notably what you can include in your response plan, with reference to our governance toolkit.

Ian Parry
Thanks for providing that overview, Louis. With the time left, we have some questions from today, and thanks to Catherine, Gabby and Georgie for responding to the questions in the background; appreciate it. I thought I’d firstly go over this question here. We’ve received a question: “we’re a small charity, we don’t have the same time or budget to combat fraud that some of the larger charities have; what can we do?” My answer to that question – and it’s a common scenario that we deal with – my answer would be, firstly, refer to the ACNC governance toolkit. It has some readymade resources that you can adopt to suit your needs. We also encourage charities to invest in governance, and this will strengthen the charity and help it to deliver its purpose. And in this sense of combatting fraud, investing time to prevent fraud will reduce the risk of the charity needing to respond in the instance of fraud, which can be very detrimental and can be difficult for charities to recover from, both financially and in terms of the charity’s reputation.

Louis Hine
All right. So I think what we might do is we might just start wrapping it up there. It’s getting close to lunch time or morning tea, depending on where you are around Australia. We’ve got a few ways you can stay in touch with us, which you should see on your screen. There’s obviously our website, social media, where you can get in contact, and you can check out our podcasts. You can also sign up for the Charitable Purpose monthly e-newsletter as well on our website for more info. Beyond that, thank you very much for coming along today. Feel free to join us on webinars that are coming up in the future which you can sign up for on our website. Or you can also see previous webinars at the address on the screen now. Thanks again. Thanks everyone for coming along, Ian and Serena.

Ian Parry
Thanks, Louis. All the best everyone.

Serena Trezise
Thanks, Louis.