Fraud is a difficult matter for the third sector. We don't like to think that anyone would stoop so low as to take funds away from the good work we do. Figures for the total cost of fraud to the sector vary widely from £150m, estimated by the National Fraud Authority in the year to 2012, to £1.65bn, estimated by the accountancy firm BDO in 2013.
A lot of fraud is perpetrated by outsiders diverting donations by claiming to represent armed forces, war veterans, cancer or children's charities. But sometimes fraud is committed by insiders - our own staff. This can take many different forms, including stealing cash donations that come in the post, falsely under-recording a cash income total and stealing the difference, falsifying expenses claims or putting non-existent people on the payroll.
Sometimes staff defraud the organisation of time, which is still a serious matter when taken to extremes - for example, sleeping while on duty in a care home when one is meant to be awake, or spending excessive amounts of time on the internet or personal mobile phone calls. We often seem reluctant to point the finger at time fraud. Managers say to me: "Can we monitor internet usage? Isn't that intrusive?"
Everyone at work uses the internet for non-work purposes if they have access to a computer. It is human nature and convenient in the modern world to be able to do so. However, it is important to be clear about the rules you expect staff to stick to, and to apply them as you would any other aspect of your organisational code of conduct.
If you think time is going missing, you should as a first step either develop or restate the code of conduct, such as an "acceptable use of IT" policy. In this policy, make sure you spell out what "reasonable" usage is, both in terms of time and, of course, the sites staff might be visiting.
Hopefully, your server's firewall will stop any really dangerous sites being accessed, but not necessarily.
You must also be careful to add a section about what monitoring you might carry out and when this might happen. The Regulation of Investigatory Powers Act 2000 - otherwise known as the Rip Act - allows you to monitor staff's IT usage, providing that monitoring is proportionate. If you are going to do it, you should monitor overall traffic at random, going into detail on someone's PC only if you spot excessive usage. The work PC is not a personal computer in the sense of being the individual's property or private to them. Sometimes staff forget this.
If you think that money is going missing, carry out some internal audits and review your processes about donations, opening the post (it should always be done by two people), collecting service users' lunch money and so on. I like to trust people, but I have a suspicious mind: sadly, this comes from experience.
Gill Taylor is a sector HR consultant