The Charity Commission reports that almost half of all insider frauds in charities are not reported and in many cases staff and volunteers turn a blind eye or fail to raise concerns.
This highlights the growing need for charities to have robust fraud response plans in place and to use them if fraud is suspected. Many charities place an emphasis on prevention, detection and deterrence, but organisations must also respond appropriately.
How a charity responds to fraud can affect its reputation, its ability to raise funds and its culture. It can be demoralising for staff if they hear rumours of a fraud, but no action is taken or no information about it is communicated.
A good fraud response plan will enable an organisation to respond in an appropriate, measured and consistent way to any allegation of fraud, minimising the financial, reputational and legal risk.
However, we are not talking here about ensuring everyone has a shared responsibility to report suspicions of fraud – we are concentrating on the organisational response mechanisms.
We’ve seen too many fraud response plans that are just too theoretical or are trying to do too many things. They often exist to communicate responsibilities for reporting and to deter insider fraud by their mere existence or to meet a donor’s expectations.
Despite the name, fraud response plans aren’t usually the "go-to" place once a fraud is suspected. One of the issues is that it is very difficult to assign reporting lines and responsibilities within the plan because so many frauds have historically involved those in trusted, senior positions.
So how can charities overcome these challenges?
Is there a plan and is it fit for purpose?
The first step is to check there’s a fraud response plan that’s fit for purpose. Plans are often written to satisfy donors, the board, staff and the Charity Commission, then filed away and never used. Or they are too generic and inflexible.
There’s no one-size-fits-all solution. A plan must be flexible and tie in with other policies, such as whistleblowing or other disciplinary procedures.
Organisations need to differentiate between responding and investigating. If a fraud is reported, the organisation will first need to decide if it warrants investigation.
The process may not be straightforward, especially if the plan says all suspected fraud must be reported to the chief executive. What if the chief executive is suspected or if it’s a senior person the chief executive is keen not to lose?
Broadening the decision-making process
Having only one person responsible for decision-making is often where a plan fails. It risks things being swept under the carpet or the suspected fraud not being properly investigated.
Charities must broaden the decision-making process and have a matrix of decision-making so it’s clear who can and can’t make decisions. It’s a mistake to rely on one individual.
HR, finance and IT, for instance, might need to be involved when a fraud comes to light because evidence can be gathered from financial accounts or emails. HR should be involved from the start to ensure the correct steps are taken.
Communication guidelines are needed to cover how and when the organisation communicates with the person suspected of fraud. Should this be immediately, when they could remove evidence, or after evidence is gathered? The difficulty is that, in reality, it depends.
How internal and external communications about an investigation and its outcome are conducted should also be planned. Staff often hear rumours, then don’t hear anything more.
If a fraud is being investigated, charities must communicate the outcome to ensure people know they are taking fraud seriously. This will send a clear message that people can’t get away with it.
The communications team should be alerted to ensure a media response is prepared and they aren’t caught off guard.
Seeking outside help
Organisations might feel they have an effective fraud response plan, but they could need guidance from an independent, external source. Legal advice might be needed to ensure the right procedure is followed and the correct paperwork gathered in case it ends up in court. It’s important to know at what point this would be recommended.
Reviewing the plan regularly
Finally, it’s important that, once a fraud happens, you look at the process and see if the fraud response plan worked. Was it useful and how could it be improved? No one likes having to deal with fraud, but it’s something more organisations should do.
A robust fraud response plan is a good starting point, but it’s important it isn’t just a paperwork exercise to which no one ever refers and that it’s a well-thought-out plan that it is regularly reviewed and adapted to ensure it's fit for purpose.
Arlene Clapham is a risk and assurance manager at the audit firm Sayer Vincent