Financial controls: is your charity protected?

Financial controls and vulnerability

While the term ‘financial controls’ will be mainstream for all finance professionals ,knowledge of it does not always translate into having the right tools, resources and capabilities to ensure your organisation is protected. Plus, as a sector that faces many challenges – be it funding, resources or hybrid working patterns – charities can be more vulnerable than their corporate counterparts.

These vulnerabilities are no more evident than in the case of fraud. A report by Civil Society showed that £8million was lost due to fraud in the first year of the pandemic. Triggered by this anti-fraud campaign, the Charity Commission found that home working had only increased this risk; due to processes having been relaxed for convenience, to make things quicker and simpler. As a result, wrongdoings and mistakes were much easier to slip through the gaps.

Along the same lines, the second biggest vulnerability appears due to the charity’s sectors tendency to place a lot of goodwill and trust in individuals. As charities, the people who join your organisation will undoubtedly believe in the cause that charity supports, and teams have a trusting environment, and everyone working towards the same goals. Unfortunately, putting a lot of trust in employees, without the right controls in place, can lead to some taking advantage. It can also allow one person to take too much power and control, which – even with good intent – can lead to disaster.

SUMMARY: charities can be vulnerable without the right controls due to the goodwill nature of teams allowing too much power for one individual, the risk of fraud, and the temptation to slacken processes due to working from home convenient practices.

 

Case Study | £900,000 fraud

In this real-life example, £900,000 was stolen by a charity’s Finance Director over the course of seven years. Despite such a long period of time, nothing was noticed until the FD was made redundant, and discrepancies between payments were noticed, triggering an investigation. It transpired that this FD was able to create transactions, approve them and transfer money to themselves.

The problem, here, was the lack of segregation of duties. The same person should never be able to create and approve; and it was the lack of controls in place that enabled the FD to continue in this way. Furthermore, as a respected employee with authority, this FD was bestowed a lot of trust to act in charity’s best interests without anyone challenging his activities – meaning there was a single point of failure and too much power and control given to one person.

SUMMARY: this FD had too much power and was able to cover tracks without seeking approval from anyone else in the organisation.

 

Case Study | £100,000 lost income

This example did not involve fraud, however resulted in the loss of a huge sum of income, purely due to poor record keeping. One of this charity’s trustees was using their personal bank account for several transactions. All of those payments were then expensed, without any supporting documentation. It was this lack of supporting documentation that led to an audit fail.

As in the example above, we see the same case of too much power being given to just one person. This trustee was not only using a personal account, but was able to raise expenses and approved directly. Despite this, no-one in the organisation challenged the individual.

So, we can see that a seemingly small issue of expenses can lead to an audit fail, however that is not the end of the story.

If we take the use of personal bank account our of equation, the lack of supporting documentation alone was enough for this story to appear in the news – highlighting the name of the charity. If you support a charity, and found out in the news that they could not prove that a lot of their expense were spent to support that cause , would you still support them? Would you have trust and belief that they spend their funds in the right way? This damage to reputation could be far greater than a failed audit. Other income streams, such as regular donations, corporate donors, funding bodies or else, could all choose to remove their support. In the worst case scenario, with income streams decreasing, the charity could cease to exist.

SUMMARY: trustees also need holding to account, and bad publicity can cause great financial risk. 

 

How to protect your organisation

Thankfully, these examples are avoidable. Here are some key pillars to consider:

Security through having the right tools: these tools don’t need to be state of the art, but they do ensure accountability is tracked. For example, each individual is linked directly to their user profile. This is bespoke to them, and can’t be shared with others.

Segregation of duties: the same person should never be able to create and approve payments. Even without a big finance team, there should be at least one other person who can approve (they could be outside the finance function if for example, there is only one finance manager). Modern tools nowadays have mobile applications that makes it very easy to implements for those users who are not necessarily tech savvy.

Full traceability: an understanding of who did what, when. This protects the individual as well as the organisation. If anything happens, you can find out in seconds.

Roles: ensuring that people only have access to what they need to do. Strict roles and responsibilities assigned to the tool they’re using and the action they need to take. This can then be managed in a secure way.

People: following from above, having the right people in the right role, knowing what they can and can’t do, will mean accountability is much more streamlined.

Trust and culture: while we’ve talked a lot about the downfalls of trust, it is of course very important to have! Trust is important for an organisation’s culture; and could be a reason why people leave or stay with a company. It means: “I trust my colleague to question me if they’re not sure” and to question others, regardless of their role in the company, be it FD to trustee to assistant. When employees feel comfortable to question, it means fraud and mistakes are much less likely to happen. Therefore, an open and honest culture should be encouraged.

“Charities have great trust and goodwill with their teams, as you tend to hire people that care and support the vision. Having the right tools ensures you protect yourself and the whole team from risk of fraud”

 

Summing up Part One…

When things go wrong, it can feel very personal. If a charity ceases to exist, the impact is huge. Not just on the employees, but the community, the donors, and most importantly the recipients of the charity’s service. By putting the right controls in place, you are protecting your staff, your organisation, and the end users of your service.

 

Why are financial controls hard to implement?

As a specialist in risk advisory, Amanda has worked across internal audits, tech assurance, governance, controls, counter fraud and more, both in-house and as a consultant for charities and not-for-profit organisations. The key challenges discussed were:

Lack of investment in core back office systems: there is naturally a desire to spend money on delivery of services, rather than processes. This makes sense, as the charity’s purpose is to help those in need; and your team will likely feel guilty spending money on anything else. Small teams are often leading these decisions, and there can be a lack of automation in embedded systems; all of which leading to the issues raised by Veronika above.

Trust: in a report recently produced by Evelyn Partners for a large charity client, the biggest problem encountered was trust. While having confidence in your team is essential, trust needs to be balanced in order to create value for the recipients.

Inconsistent tone and blurred lines of accountability. In charity settings, leadership is shared between the senior team and the Board. If the tone isn’t clear, pockets of the organisation can be operating in silos, some might not understand or even respect financial control. To avoid this, trustees and executives must come together and communicate.

Risk management: this is not specific to charity, however there is a naivety in how to maximise risk management. Often, there is enthusiasm and need to focus on what the risks are; yet not so much on how they could be mitigated, or what the opportunities are.

Fraud: it is a challenging environment now. The fraud triangle consists of three motivating factors: pressure, opportunity, rationalising. At the moment, the environment is rife for these to come together in a perfect storm. With over 20 years’ experience, Amanda added “I’ve never seen it like it is now.” Reasons being, the cost-of-living crisis (pressure), poor controls (opportunity), or poor tone from top (opportunity). Thirdly, poor morale (rationalising) and lack of staff mean that people are working harder than ever, feeling fatigue around their challenges, and could feel more justified in their actions. In a recent fraud review, 66% was down to poor financial controls.

How to make improvements

All of these challenges can seem overwhelming, however there are key steps you can take to eradicate the risks, and find added value in a more controlled working environment.

• Look at your end-to-end processes: often it swings one way or the other – either very bureaucratic; or weak and patchy. Review where the vulnerabilities are in your processes, and automate where you can.
• Think of charity as a business: if you benchmark yourself against other charities, you could be doing much better, and therefore missing out on ways to improve. However, compared to a similar sized organisation in the corporate sector, you could find real opportunities.
• Making decisions as a consensus: how do you convince the team to spend money on back office? Often it takes bringing in commercially-experienced people and getting advice.
• Better automation: have systems in place, and take time finding the right one. Choose a configured system, rather than a bespoke customised one. And make sure you have the right people involved in the process.

 

Choosing a new system

Leading on from Amanda’s fourth point, she adds her top tips for choosing a new finance system:

• See implementation as digital transformation: whatever you choose, see it as an opportunity to train people well and communicate effectively. Always involve senior leaders and finance teams, not just IT department.
• Cleaning data: don’t underestimate how much time this takes! You don’t always need the old data, so think about what you need.
• Assurance: get good advice; it doesn’t need to be costly consultants, but you need someone to help advise.
• Get your trustees and execs together; so everyone is aligned and knows how they’ll approach.

“See implementation as a way to deliver digital transformation.”

Three Key Takeouts

• Ensure segregation of duties – not all power is left with one individual.
• Balance goodwill and trust with robust processes; to protect both yourself and the organisation.
• Communicate between Board and Senior team, and share information in an open way, to build understanding and morale.

What’s next?

Xledger will be returning to the Charity Finance Summit in 2023. In the meantime, find out more about our work with charities, or read one of our case studies.

 

Find out more

Get in touch with Ovi Stici at ovi.stici@xledger.co.uk if you would like to discuss how Xledger could support your charity in putting the right financial controls in place for your organisation.