Jamie De Souza, Partner, Trowers & Hamlins LLP and Emily Sharples, Associate, Trowers & Hamlins LLP
During Charity Fraud Awareness Week 2022 (which took place between 17-21 October 2022) we heard about the ongoing fraud and cyber risks that charities are facing. Alarmingly, recent findings from surveys by the Charity Commission for England and Wales and the National Cyber Security Centre and Third Sector include:
- 12% of charities experienced online fraud in the last 12 months – that is 1 in 8 charities.
- One in 10 charities said cybersecurity is not even on the boardroom agenda.
- Less than 25% of charities have a formal policy in place for managing the risk of cyber/online fraud.
- One in five charities said not a single employee was trained to identify a cyber-attack.
Charities need to not only consider prevention measures to minimise the risk of fraud but also plan ahead and know how to respond quickly and effectively should a fraud incident occur.
Prevention
The key to preventing fraud is ensuring your organisation is not putting itself in a situation where the risk of fraud is higher than would otherwise be the case if basic controls were in place and applied. In fraud cases we have dealt with, particularly involving charities, it has been easy to identify the underlying vulnerabilities in the organisation which have led to the fraud or exacerbated its impact and which, with hindsight, could have been mitigated.
Top tips for fraud prevention include:
Good governance / segregation of duties
It is not uncommon, particularly in smaller charities, for several key roles to be held by one individual. This can cause an imbalance of influence and control and ultimately increase the threat of fraudulent activity which an individual can more readily conceal.
- Wherever possible ensure that no one individual has sole control over key systems or payment authorisations.
- Implement dual authorisation processes for financial transactions and system changes.
- Review how your organisation’s data is stored and backed-up. If an errant employee or third party deletes data, are you able to retrieve it from other sources?
- Maintain asset registers.
- Implement expenses policies.
Policies and procedures
The importance of fraud and cybercrime policies and procedures cannot be overstated.
- Policies identify an organisation’s fraud prevention initiatives including regular and tailored risk assessments and the controls put in place to mitigate and deal with fraud.
- Procedures should, amongst other matters, set out reporting mechanisms and response plans.
Training
Training is also a crucial part of fraud prevention and is an often forgotten ‘easy win’. Staff, trustees and volunteers play an integral role in preventing fraud in your organisation.
- Regular training ensures effective communication of policies and procedures.
- Awareness and encouragement regarding reporting suspicious behaviour helps foster an open and honest organisational culture.
- With the increase in phishing and malware attacks, training and simulation exercises can ensure staff are more alive to these threats and can spot the red flags before it’s too late.
Response
As part of fraud procedures, charities need to consider their response plans so that if the worst does happen, you know how to manage the situation effectively.
Investigation
- Identify a small number of people who should be involved in dealing with a fraud event (the group can vary depending on the nature of the fraud/cybercrime).
- Consider the need to involve third parties, such as lawyers, cyber/IT experts, forensic accountants and PR. Many frauds have a debilitating impact on an organisation and so time is critical. Know who you need to call in any such emergency.
- Be aware that documents created during internal investigations are not automatically protected from privilege (being withheld from disclosure to the perpetrator in due course). Involving lawyers early in the process can assist with protecting disclosure of some documents.
Data preservation
- Consider how your data is stored. With the increase of electronically stored data, charities should ensure data protection policies are in place and regularly reviewed. Following a cyber-attack, steps should be taken to ascertain any data lost and ensure that all remaining data is fully secured.
- Act quickly to collect and/or preserve data. Consider whether any staff need to have their access removed or suspended if there is a risk that data pertinent to an investigation will be destroyed.
- Depending on the scale of the fraud, consider whether forensic images of computers / mobile phones need to be taken to be reviewed at a later date.
Reporting
- Depending on the nature of the fraud incident, a number of third parties may need to be notified, including the Charity Commission and the Information Commissioner’s Office.
- Be aware of required timescales – often reporting is necessary as soon as reasonably practicable, rather than at the conclusion of an investigation.
Sadly, there is no failsafe to stop frauds from occurring. However, with appropriate planning the impact of a fraud incident can be controlled, responded to and where appropriate proceedings commenced to seek recovery of losses suffered.