Too Little Monitoring can Lead to Fraud, how to Balance the Freedom Given to the CEO Versus Maintaining Good Board Oversight
“Chief executive of small charity on trial accused of £700,000 fraud”.
“Trial begins of former charity chief executive”.
“Former chief of local charity jailed for seven years for fraud”.
Unfortunately, these types of things do happen! The questions are, what went wrong and what can we learn from it?
Trustees (who are ultimately responsible) delegate management and the day-to day running of the charity to its employees and management team. Of course, the trustees having delegated this, have firstly ensured that the charity has systems and controls which are designed to mitigate the risk of fraud from occurring – right?
They do this by ensuring that the board (maybe the treasurer) regularly checks and tests controls to ensure that controls are being operated as designed and documented! No?
Hands up… Who Relies on Auditors to do This?
Who actually knows what auditors do as part of their visit? Detailed review and checking of controls are not one of the auditor’s functions. It’s a board function to ensure that systems and controls are robust, have a good chance at preventing and detecting fraud and error, and operate as the control is documented and designed to!
There can be a conflict between trusting your CEO and monitoring their actions.
Case Study – What Went Wrong for the Charity Which Created Those Headlines?
The main issue was that too much control was given to the CEO, such that they were able to bully and dominate their small team, overriding what little controls were actually in place. The board also were not financially minded and received too little financial information, too late. The auditors seemingly did not liaise with anyone beyond the CEO during their audit.
Dual Authorisation on Bank Accounts
A key control, as a final step to stop misappropriation of funds, is dual authorisation (of cheques and BACS). In this case the CEO convinced one of the other authorised signatories to counter sign blank cheques, as it would ‘just speed up the process and stop issues if one of them was out of the office!’ Therefore, a perfectly effective control was overridden and yet no one was aware that this was happening. Indeed no one was routinely checking the cheque book (or anything else), so this went on unnoticed for many years.
The CEO would attend all board meetings and would helpfully take the trustee minutes. The fact that these were subsequently amended by the CEO to award generous bonuses to themself is another way in which funds were diverted. Again, a simple control could have been that previous month’s minutes were reviewed at the next meeting and signed by the chair of trustees as ‘a true record’. It is also helpful that the board, where employees are invited, keep a section which is ‘confidential to members’ and excludes all employees.
Whilst payroll was ‘authorised’ by the deputy CEO, no board member was regularly authorising and/or checking rates of pay back to contracts, otherwise the multiple fraudulent bonuses the CEO had awarded themself would have been obvious. The non-charity-specialist auditor also failed to disclose remuneration of employees earning over £60,000, again this might have made it obvious to the board.
A capital project leads to large expenditure, which can be spread over a number of months. This can also be a perfect opportunity to ‘hide’ fraudulent expenditure, as it is capitalised and has no comparative to sit against. Also, if you create fraudulent photocopied invoices, once in control of the already counter-signed chequebook, the CEO could write their own cheques to pay these ‘invoices’.
When commencing a capital project, a good control is to ensure (beyond the requirement to obtain at least three quotes) that the project is monitored against the original board approved expenditure level. Clearly the capital project should be documented and detailed in the board minutes. Then where variances arise, ensure that these are investigated fully and explained, particularly so that overspend can be reviewed by the board, who can take action as necessary and authorise accordingly, documenting as such.
An increasingly common type of fraud is where the payment details for suppliers are ‘updated’ on the system. This can often be after receipt of an email asking for these to be changed. Can we and should we trust emails? The answer is always no, as emails can easily be compromised and hacked!
Picking up the phone and confirming any change of standing payment data is essential, to ensure that the email is genuine. In our case study example, fake suppliers and fake purchase invoices were entered onto the system. Therefore, ideally, you need a control to ensure that, a) only authorised people have access to these details, b) that both new standing data is verified prior to entry onto the system, and c) that any changes to existing standing data is verbally confirmed (perhaps being subject to dual authorisation at each stage).
How was the Fraud Uncovered and Subsequent Actions?
The finance person was alerted when a ‘purchase invoice’ for a capital project did not add up, due to a VAT error. On contacting the supplier to ask them how he should proceed, they pointed out that they had never raised an invoice for that amount on that date. With suspicions raised, the finance person spoke to the board directly, who contacted a specialist forensic accounting firm. With their help, the board took positive actions to suspend the CEO whilst an investigation took place. Dismissing an employee may be the wrong thing to do, since the employer then has no rights to call that individual in for questioning etc. The fullness of the investigation found more than £700,000 of fraud and with their specialist help, were able to suspend personal assets and mount a successful legal case against the employee.
Don’t Worry you Have an Audit Each Year!
It transpired that a couple of years earlier, the finance person had approached the CEO when he was unsure of something that ‘didn’t look right’, only to be bullied into submission for asking such a ridiculous question. In spite of a ‘good telling off’, the finance person then reported the same suspicions to the Deputy CEO, who themselves took no positive action and suggested that ‘if there is a problem, the auditors would find it!’. Sadly, neither the Deputy CEO, nor the finance person actually told the auditor of their concerns, so the auditor wasn’t aware to look for it, adjust their risk profile accordingly and almost inevitably as a result, didn’t spot any fraud as part of their annual audit process.
What to do to Safeguard Against Fraud?
The key point of the article is that systems and controls are a board responsibility. Therefore, trustees must ensure that they either themselves carry out regular testing of controls, or they employ an internal auditor to do so on their behalf. It is essential that the board regularly checks key approval processes (e.g. payroll, large expenditure payments and capital projects etc.); ensuring that the board have an open channel for all staff members to approach them directly; encouraging a culture of openness; and, empowering staff to be vigilant and report suspicious activity. Of course, if you yourself have any suspicions, the key is to take action rather than ‘delegate’ it to another employee. Get in touch with the board, they are responsible, so it is their call to make. Then as required, take specialist advice, quickly, before dismissing or alerting the accused!
If you have any questions or if you would like to speak to a member of our team about how we can help, please contact us on 01772 821 021.
This article is from our Using Conflict as a Catalyst for Change report, a guide to help you embrace, manage and mitigate conflict within your charity.