Financial controls to prevent fraud

If fraudsters target your organisation, your internal controls could make all the difference in protecting its money and reputation. Many fraud attempts would be foiled by organisations following the financial procedures they already have in place.

Why are financial controls vital?

Internal financial controls are rules and ways of working, designed to help trustees protect their charity’s funds and other assets, and to reduce the risk of losses through theft, fraud or mismanagement. Robust controls underpin good quality financial reporting. They can also enable a charity to achieve good value for money when purchasing goods and services.

More than eight in ten frauds targeting charities are spotted through financial controls, by audit or whistleblowing. Charity victims of fraud generally go on to improve their internal procedures or security measures, but prevention is better than cure*.

* Preventing charity fraud: Insights and action (2019), Fraud Advisory Panel and Charity Commission

How to check your financial controls

Read the Charity Commission’s guidance (CC8) for examples of financial controls that trustees should consider putting in place to:

  • protect their charity’s money
  • authorise spending on goods and services
  • safeguard its assets

This handy checklist will help you see how your controls compare to recommended good practice. Trustees should review their organisation’s financial controls every year.

Six tips for fraud prevention

1. Make your procedures clear and easy to follow

Ensure your internal procedures clearly explain how to request, check and authorise payments. Make sure all staff and volunteers involved in making payments understand and always follow these procedures, including when working remotely or from home.

2. Verify payment instructions

Verify any request by a supplier to change their bank account details, even when they are written on a seemingly genuine invoice.  Call the supplier or a trusted staff member to verify a payee’s change of account details. This is quicker and easier than attempting to recover a fraudulent payment with your bank’s help after an invoice is paid.

3. Match payment requests with approved orders

If your internal procedures can support it, consider implementing a Purchase Order system. Matching requests for payments with approved orders will help to protect you against fraudulent or incorrect invoices and payment instructions.

4. Read terms carefully, before accepting them

Put in place clear levels of authorisation for ordering good and services, and approving purchases. If you are offered a free trial by a supplier, please make sure that you fully understand the terms of the agreement - including any costs, notice periods or exit clauses which will apply.  If you decide to go ahead with the trial, ensure that its terms are accepted by an authorised person within your organisation.

5. Protect your systems against ransomware attacks

Ransomware is a type of malicious software (malware) designed to prevent you from accessing your computer, or the data stored on it. The computer may become locked, or the data on it might be stolen, destroyed or encrypted.

Usually the attacker asks the victim to respond to an anonymous email address or follow instructions on a web page, to make payment. Payment is generally demanded in a cryptocurrency such as Bitcoin, to unlock your computer, or access your data.

Paying the ransom does not guarantee you will regain access to your computer or data. Your computers may still be infected and remain at risk. You are more likely to be targeted in the future, and you will be funding criminal organisations.

Protect yourself by installing anti-virus software. Keep operating systems and software updated, and be aware of social engineering and phishing emails. Back up critical data regularly and test your recovery processes to minimise the impact of an attack.

For more tips, follow this advice by the National Cyber Security Centre. 

6. Build a fraud aware culture

Use fraud policies and processes, regular briefings and training to create a security awareness culture among your staff and volunteers.

Make sure they are aware of the latest threats and know how to spot and report suspected fraud. Check they know the security basics, such as setting passwords, keeping login details safe and locking their computer when it’s not in use.

Please keep your bank informed of any changes to account users, signatories and trustees.

Seen something suspicious?

Find out the best way to report it to us.

Contact us

CAF Bank Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register number: 204451).

CAF Bank Limited Registered office is 25 Kings Hill Avenue, Kings Hill, West Malling, Kent ME19 4JQ. Registered in England and Wales under number 1837656.