Academies and Fraud
There have been numerous recent cases where schools have been the subject of targeted fraud attempts, usually in the form of requests for payment being sent to finance staff purporting to be from the Principal or other individual in authority. Schools are an easy target as there tends to be a lot of information on Academy websites detailing the roles of individuals, such as the Senior Leadership Team and Governors, including e-mail addresses in many instances. Large capital projects such as a new building may also be publicised in the local press, alerting fraudsters that large payments are planned, again giving the opportunity for supplier payments fraud.
The Charity Commission has recently published guidance on tackling fraud and many of the recommendations apply to Academy Trusts.
Fraud prevention starts with good governance and it is important for Governors to understand where the risks are in the organisation and put plans in place to mitigate those risks. The Governors must be seen as being committed to ensuring robust fraud defences are in place so that this becomes the culture throughout the school.
With respect to cybercrime, improving passwords can mitigate most cyber threats. The list of the top ten passwords used still contains ‘Password’ and ‘123456’! With the impact of GDPR, the loss of data will have increasingly serious financial consequences, in addition to the reputational damage caused. The Trust should have a password policy in place and the IT department should monitor passwords used to ensure staff are complying with it. Passwords should be changed regularly and guidance given as to what is appropriate.
Social engineering is often used in banking frauds to establish the victim’s trust. The fraudster gathers information about the Trust and staff from websites and social media and uses this to gather additional information which can then be used to access bank accounts or persuade a member of staff to make payments. They often suggest that there is element of urgency in their requests. Staff should be made aware of the risks so that they are wary of requests for information or urgent payments. Staff should also be aware that they need to be careful of what e- mail attachments they open as these can contain malware.
Supplier payment amendments
In relation to supplier payment details, a procedure should be in place for changing the bank details of suppliers such that any requests are verified directly with a known contact at the supplier and evidenced in writing.
Internal finance systems and procedures
In addition to the risk of fraud from individuals outside the Trust there is also a risk of internal fraud. Governors need to ensure that robust finance systems and procedures are in place and are being adhered to in order to minimise the risks of fraud.
There should be an effective way for staff to report suspected or known fraud so that any concerns are addressed as soon as possible. The Trust should have a fraud and whistleblowing policy in place so that staff are aware of how concerns are to be reported and how they will be dealt with. Fraud awareness should form part of staff induction and ongoing training. The majority of staff in the Trust will have some involvement in the management of school funds, whether through ordering goods, managing budgets or organising school trips, and fraud can occur in any area.