Lawyers are often asked to advise people who are forming a charity. Once the charity is registered, they become its trustees and, because they have advised on the charity's legal responsibilities, they are often asked to explain how to prevent fraud. So what advice should they give?
The first point to make is that the trustees will never be able to stop every fraud. If they tried to do so, they would tie up so much of the charity's resources there would be little left to carry on its main charitable activities.
Therefore, they need to strike a balance between minimising the possibility of a fraud taking place – accepting some risks will still remain – and maximising the resources devoted to the charitable activity.
Next, they should carry out a form of risk assessment, establishing where fraud is most likely to be perpetrated and what the fraudster could get away with.
Areas or activities most vulnerable to fraud, and where the value of the charity's assets are high, deserve the most attention, such as control over deposit accounts and investments. If the vulnerability is high, but the value is low – as in the case of the petty cash box – some control is needed, such as occasional cash counts, but this need not be continuous. Areas of low vulnerability and low value require a low level of control.
So how can controls be put in place? In any charity, large or small, one of the best methods of guarding against fraud is to instill a control culture – one where employees are encouraged to take fraud prevention seriously and it is made clear that trustees will take swift action if there are control failures or fraud comes to light.
This can be achieved by including the requisite statements in contracts of employment, as well as reinforcing the point in staff training.
Physical controls should be considered. For example, is incoming mail put into a secure mailbox by the postman and is it opened by more than one person to remove temptation and thus safeguard against the theft of donations by staff?
Financial controls, too, are essential, no matter how small a charity may be. Critical elements to consider when advising on this area are size and complexity of the charity.
In charities with two or more staff, a good control is “segregation of duties”. This involves splitting tasks so the person with access to an asset – drawing cheques, using a computer, maintaining displays of stock in a shop – does not also have access to the financial records of that asset – cash book, fixed asset register, stock record. Although this will not stop a fraud, it should ensure that it will be brought to light quickly.
Larger charities may also have an internal audit function, provided either by an in-house team or by an external supplier. The trustees should ensure the internal audit plans focus work on the areas of highest risk and highest value. They should also give detailed consideration to the internal audit reports to gain comfort that internal controls are functioning adequately.
However, many charities do not have a large number of staff, which restricts the possibility of segregating duties, and cannot afford internal audit. In such cases, the trustees may have to rely on greater involvement by themselves.
They could do this by exercising more direct control. One trustee, for example, could review the bank reconciliation each week, or a detailed review could be carried out by the trustees and individual transactions approved.
However, the trustees will need to use their judgement to decide on the extent to which this is necessary. They can obtain direct satisfaction that controls are operating by regularly receiving, reviewing and questioning reports on each area of the charity's activities. These reports should be required to comment on the operation of key controls – for example, a statement that during the previous three months, all computer access passwords have been changed at least once.
The trustees can also get some comfort on the operation of controls by reviewing the annual management letter from the external auditor or the Independent Examiner. While this will not give blanket coverage of all controls, it should highlight those areas in which key ones are not functioning as expected.
In addition, if the charity is fortunate enough to have an internal audit function, additional comfort can be taken from its work and reports.
Establishing a control culture should make trustees confident that they are adequately discharging their legal responsibilities to safeguard the charity's assets to the best of their ability.