The National Cyber Security Centre reported in January 2023 that charities may be particularly vulnerable to cyber attacks because they often lack resources to invest in cyber security and are less likely than businesses to employ technical cyber security controls. For example, charities are more likely to rely on staff using personal IT, which is more difficult to secure than centrally issued IT. When charities experience a cyber attack, the impact can be severe for cash-strapped charities because the lower the charity’s income, the less likely it is to be insured for cyber security.

According to BDO’s 2022 report on charity fraud, charities that experienced fraud not only lost money, but also suffered reputational damage and loss of staff and volunteers. However, fraud awareness remains low among charities. Nearly half believe they are not at risk of fraud, according to an October 2019 report by the Charity Commission and the Fraud Advisory Panel. Equally concerning in that report is that nearly nine out of 10 charities think they are doing everything they can to prevent fraud, but almost half do not have good practice protections in place.

Trustees need to recognise their charities can be vulnerable to different types of fraud and develop an effective culture of prevention. Every dimension of fighting fraud – deterrence, detection and response – requires an effective anti-fraud culture at its foundation.

Actions to tackle fraud are important as trustees must take steps to protect their charity’s funds and assets from misuse, and to comply with UK law on the prevention of fraud, money laundering and financial crime. The charity’s auditor will also commonly seek insights from the trustees on the risks of fraud in the charity as they perceive them, as part of the auditor’s responsibility to report on the extent to which the audit was considered capable of detecting irregularities, including fraud.

Recommendations:

Trustees should ensure that proper internal financial and data controls are in place and that both their design and operation are regularly reviewed, and new controls implemented where necessary. The overall control environment must be fit for purpose. 

Regular training should be provided to both staff and volunteers to ensure that they are familiar with the key controls, their responsibilities in applying those controls, and that they know what steps to take if they suspect fraud is being committed.