This article shares their lessons for trustees and includes anonymised insights from real trustees’ experiences of fraud.

A unanimous message from those who have experienced fraud is this: “please don’t think it won’t happen to you!”. The trustees interviewed were all from small charities with income ranging from only £25,000 to £1,000,000 and expressed shock and disappointment that they were targeted. Anecdotally, most charity trustees that I approached had experienced something they could talk about, even if just a phishing email. Many interviewees had experienced more than one fraud attempt in recent years. A fear of shame, perhaps exacerbated by the public nature of Charity Commission inquiries, inhibited some charity trustees from speaking openly about fraud incidents that they have experienced. This can create a dangerous misconception that charities are not at risk of regular fraud attempts.

Some small charity officers urged professional scepticism and awareness of fraud risks. One charity officer, for example, shared their advice following their experience of data loss when their IT systems were hacked.

Make use of the industry network of peers around you for support and learning.

Lessons will always be learned from adverse events, therefore, while some reactionary learning response is valuable, what is even more valuable is sharing these adverse events so that other charities can learn how to protect themselves before a fraud attempt occurs.

Around the same theme of open communication, responsibility sharing was also a recommendation for an effective board. A lack of challenge, on the other hand, was seen to increase fraud risk. Most dominant trustees did not intend to be in such a position and would welcome healthy challenge and discussion. However, a lack of availability and engagement from other trustees, combined with trust placed in them, placed a burden of responsibility on them. Time set aside for open communication and discussion at board meetings may be a consideration as well as ensuring trustee training for all trustees.

Time resource is a huge constraint in the small charity sector. One piece of advice was to avoid presenting yourself as being too busy to ask. Some of the frauds seen could have been prevented had an employee felt confident to bother a busy trustee or CEO to double check a change of bank details.

Diversity in this context means a lot of different things, skill diversity, lived experience diversity, background, gender, ethnicity, age. Most charity officers interviewed championed the benefits of trustee diversity in strengthening their defences against fraud. Lived experience diversity was a particularly interesting finding from this study. One charity officer who had experienced insider fraud described how their lived experience of experiencing crime in their personal life helped them to identity fraudulent activity where others in the organisation had not.

Challenges to diverse recruitment were expressed by the interviewees and may require changes in governance practices by small charities. For example, meetings always scheduled during school hours may make it difficult to attract a trustee with work or childcare responsibilities.

There was some advice around internal controls with the benefit of hindsight. Charity trustees who experienced an email hacking fraud recommended two factor authentication. Charity trustees who experienced insider fraud recommended segregation of duties. To sign up for a legacy notification database was the advice of a charity trustee who had experienced a legacy fraud. The Charity Commission’s guidance ‘Internal financial controls for charities (CC8)’ provides a helpful checklist that charities can use to test the robustness of their controls.

In addition to charity officers, a small number of industry experts were interviewed. A key piece of advice shared by those experts was to consider a fraud response plan to support charity trustees, volunteers and employees in responding to a suspected fraud and sending a message that you are committed to fighting fraud (the 2023 Charity Fraud Report includes a template Fraud Response Plan).

Uncovering an actual or suspected fraud can be a stressful and worrying experience, many volunteers and employees interviewed who had uncovered a suspected fraud described feelings of helplessness and frustration when reporting channels were not as responsive as they might have hoped. Fraud response plans could also reduce feelings of helplessness and frustration expressed by some small charity officers.

I learned so much from spending time with the brave individuals willing to speak to me about their experiences. My key takeaway from this study has been the importance of talking to your neighbours, being part of a charity community where we can share the issues we are facing and how we are approaching them, through this we can maintain awareness of the current risks we are facing and face them stronger together with an awareness of current best practice and developments. Communities of particular support to me have been the ICAEW Charity Community and the Honorary Treasurer’s Forum but there are many formal and informal volunteering communities across the country that can offer help.

For fraud prevention resources, please visit the Prevent Charity Fraud website and the Charity Commission’s updated guidance on cybercrime and fraud.