Welcome to the Summer 2011 edition of charity briefing. This edition concentrates on protecting charities from harm given the release this year of Chapter 3 of the Charity Commission online toolkit, Fraud and Financial Crime. The toolkit aims to give trustees the knowledge and tools they need to manage risks and protect their charity from harm and abuse and is available on the Commission’s website.
We have therefore included articles on data security and fraud which continue to be hot topics within the sector and society as a whole.
We also bring you up to speed with the Bribery Act 2010 as well as other interesting developments within the sector.
I would also like to take this opportunity to congratulate Graham Elliott who won the award for Tax Writer of the Year at the Taxation Awards 2011.
As ever, if you have any feedback on this edition of the briefing, or wish to discuss any of the matters raised, do contact one of our team.
Kathryn Burton
partner - editor | 020 7969 5515
kburton@haysmacintyre.com
No organisation is immune from the threat of fraud and evidence suggests that the cost to the UK economy is continuing to grow. For many charities, however, fraud is still a risk that they are reluctant to address openly. With a traditional reliance in the sector on trust and goodwill it can be difficult to face the thought that ‘it could happen here’.
In January 2011 the National Fraud Authority estimated the level of fraud suffered by UK charities as £1.3 billion a year – in other words, for every £100 of income raised, around £2.50 is lost. It is important to remember that behind the statistics lie real cases and for some charities, the effects of fraud have been devastating. Never before has it been so important for charities to ensure that appropriate anti-fraud measures are in place.
The first step for any charity is to carry out a comprehensive review of both internal and external fraud risks, identifying mitigating controls where these exist. Examples of external fraud risks include:
· fraudulent applications for grant funding;
· cheque fraud where a cheque is intercepted and the payee details altered;
· faked documentation purporting to change suppliers’ bank account details;
· procurement fraud where suppliers raise invoices for goods not ordered or not received;
· use of the charity’s brand by third parties to hold fundraising events where the money raised is never remitted; and
· hacking or penetration of a charity’s website allowing theft of information such as personal confidential and / or sensitive data relating to beneficiaries or supporters.
Among the internal fraud risks to be considered are:
· theft of cash or cheques or other physical assets by employees or volunteers;
· personal expenses or company credit card abuse;
· employees commissioning work or services from family, friends or associates for personal gain;
· payroll fraud where a fictitious employee is included in the payroll or the calculation for a genuine employee is manipulated;
· unauthorised obtaining of personal data; and
· applicants falsifying their work history or qualifications in order to obtain a position.
This exercise will help to identify areas of weakness that need to be addressed in order to enhance the preventative and detective controls in place. These controls don’t need to be overly complicated. Collusion is very rarely seen in charity frauds and so many risks can be addressed by ensuring that, where possible, adequate segregation of duties exists. Where controls have been identified, they should also be tested regularly to provide assurance that they are operating as expected. Bear in mind that the biggest weakness with any systems of control are the individuals who apply them.
All staff and volunteers need to know what fraud is, be able to recognise it when it occurs and encouraged to report it. An anti-fraud policy should be clearly communicated throughout the charity - the tone from the top is important and the policy should be endorsed and supported at the most senior levels. It is widely recognised that one of the most effective and inexpensive ways of preventing and detecting fraud and other serious malpractice is to create strong whistle blowing arrangements.
Finally, charities need to have a plan for responding to fraud to help ensure that timely and effective action is taken. This should include the steps that need to be followed and individuals who should be notified as well as agreed communication processes.
Kathryn Burton
partner - editor | 020 7969 5515
kburton@haysmacintyre.com
The Bribery Act 2010 (“the Act”) became effective on 1 July 2011. In this article we set out some key aspects of the Act and the associated Guidance.
The Act defines four bribery offences. Although the legal definitions of each type of bribery are different they all involve two features: trying to obtain an advantage and inducing or rewarding improper conduct.
Offences for individuals:
· Bribing another person;
· Being bribed; and
· Bribery of a foreign public official.
Corporate offence:
· Failure of a commercial organisation to prevent bribery.
The only defence for an organisation facing prosecution for this corporate offence is that it had adequate procedures in place to prevent persons associated with it from undertaking such activity. Guidance as to what would constitute “adequate procedures” has been published by the Ministry of Justice, in accordance with section 9 of the Act, which is structured around six key principles:
· Proportionality;
· Top level commitment;
· Risk Assessment;
· Due diligence;
· Communication; and
· Monitoring and review.
The specific processes which will need to be in place will depend on the corporate structure and the activities of each individual organisation and the particular risks it faces. A large international charity will need to have much more extensive control procedures and more wide-ranging policies than a local charity whose activities are limited to a small geographical area within the UK.
It is likely that for many charities these requirements will be met by existing policies and procedures, although it will be necessary for these to be reviewed to ensure that they are fit for purpose. In particular, policies relating to the acceptance of gifts or hospitality are likely to need updating.
Communication of policies throughout an organisation will be vital to ensuring that the organisation is able to demonstrate the adequacy of its bribery prevention procedures. It is important to note that the term “persons associated with” an organisation is not limited to its employees: it applies to anyone who is acting on behalf of the organisation in any capacity. Agents and sub-contractors would constitute associates of an organisation and would therefore need to be considered as part of the organisation’s assessment of risk, its communications of internal policy and its control procedures.
A more extensive briefing on this topic can be found on our website:
The full Guidance and a more condensed “Quick Start Guide” can be found at:
Tom Brain
Senior Manager | 020 7969 5670
tbrain@haysmacintyre.com
A recent Supreme Court judgement in the Autoclenz case reminds us that employers must pay close attention to the employment status of those they engage to provide personal services.
The Autoclez case was concerned with ‘self employed’ car cleaners. The important point to take from this case is that HMRC will look right through a contract for services if the contractual terms do not reflect the reality of what was actually agreed between the parties or the true intentions of the parties.
I often hear from clients “the individual told me he was self employed” and the frequency with which this is said indicates some serious flaws in the general understanding by employers of their obligations. It matters not one jot how the individual describes themselves it is up to you as the engager/employer to determine their status for HMRC will hold the employer liable for uncollected income tax and NIC under PAYE.
Looking at this from another angle, it is similarly not acceptable to take someone on as a self employed service provider just because you don’t want them to be an employee. It is perfectly acceptable to structure arrangements so that self employed status is met. The difference is that the reality is what counts not just what you or your lawyers write into a contract. In the Autoclenz case the Company engaged the individuals on a self employed basis but they bore the hallmarks of employees.
They did not look like they were in business for themselves. They had no control over the way in which they did their work. They had no real control over the hours they worked. They had no real economic interest in the way in which the work was organised. They could not source materials for themselves. They were subject to the control and direction of the Company’s employees on site. They worked in teams and not as individuals. The individuals had no say in the terms upon which they performed work and the contracts they entered into were devised entirely by the Company and the services the individuals supplied were subject to a detailed specification provided by the Company. The invoices they submitted were prepared by the Company who also determined any deductions which should be made in respect of materials and insurance. Rates of pay were determined by the Company who could increase or decrease them unilaterally.
The case determined that the individuals were workers entitled to the National Minimum Wage and holiday pay under the Working Time Regulations. Of course HMRC would also be knocking on their door for uncollected tax and NIC.
Lorraine Owens
employment tax manager | 020 7969 5578
lowens@haysmacintyre.com
Since the last Charity Briefing there have been a number of new developments in the charity world. Some of the most important ones are summarised below. If you have queries relating to any of the issues raised please do not hesitate to get in touch with a member of the charities team.
changes to gift aid
A new scheme will be introduced whereby Gift Aid can be claimed on small donations, up to a total of £5,000 a year per charity, without the need for donors to fill in any forms at all. That means Gift Aid can be claimed on the contents of collecting tins and street buckets.
A new online system will be put in place to allow online filing of Gift Aid claims.
The government will also encourage wealthy people to give more to charity. The Gift Aid benefit limits will be increased from £500 to £2,500 so that charities and museums can say thank you properly to donors.
Inheritance Tax
A reduced rate of Inheritance Tax will be introduced from April 2012 for estates where 10% or more of the value is left to charity. The reduced rate will be 36% compared to the usual rate of 40% and the nil rate band will be frozen at £325,000 until 2015. Whilst this change may not impact charities directly it may be a useful tool to encourage supporters to consider charitable donations as part of their Inheritance Tax planning.
iXBRL
From April 2011, HMRC made it compulsory for all businesses to file both company accounts and tax returns in an electronic format called iXBRL – inline eXtensible Business Reporting Language.
Thankfully an exemption has been granted for small incorporated charities (defined as a charity, together with any wholly owned subsidiaries whose combined income does not exceed £6.5 million for the period). We understand that this exemption is likely to be in place for approximately two years, and so for now these charities can continue to file their accounts as a PDF.
Unfortunately this exemption does not extend to trading subsidiaries and so they are required to file tax returns, computations and accounts in the iXBRL format.
charity buildings VAT
From 1 March 2011, any building bought or constructed with zero rate VAT will be subject to a simplified “claw back” regime in the event that their use changes. It is rare for charities to allow the claw back to apply because of the financial impact. However, where it does, the charity needs to pay a proportion of the VAT originally avoided based on the number of years it has been used for qualifying purposes.
Steven Bluestone
senior manager – deputy editor | 020 7969 5509
sbluestone@haysmacintyre.com
In recent years there have been a number of well-publicised data security breaches and investigations by the Information Commissioner’s Office (ICO), most notably HMRC’s loss of two CDs containing unencrypted details of the entire Child Benefit database in October 2007.
The ICO was granted new powers which came into effect in April 2010. These allow the ICO to impose fines on organisations of up to £500,000 for serious breaches of the Data Protection Act. In addition, where an offence is proved to have been committed with the consent of, or caused by any neglect by a director (trustee) or manager (director), the ICO has the power to prosecute these individuals.
As well as financial penalties, a charity’s reputation could be significantly damaged by adverse publicity accompanying any negligent or accidental breach of data security leading to a loss of confidence in both the charity and its ability to provide services.
Charities rely on the information they collect and hold in order to fulfil their aims, objectives and obligations, whether it is supporter data held on a fundraising database or personal information about beneficiaries. Bespoke and off the shelf database systems store this data, but in many cases analytical processes are carried out through excel spreadsheets.
Database systems reporting functionality commonly allow data to be transferred out of the system into excel for this purpose, but the question for data security is what then happens to this spreadsheet. Whilst the database itself may have functionality to restrict access, or restrict transmission of the core data, once the data is in excel the charity is at greater risk. Where is the spreadsheet saved? Who has access to it? Does it contain personal, confidential or sensitive data? Is the spreadsheet encrypted? Do any third parties process data on your behalf?
All organisations should have policies and procedures that raise awareness of the sensitivity of data in its possession and make it clear that breaches of these policies may result in disciplinary action. But today’s electronic age does make it difficult for organisations to automatically restrict use of this data. Take for example the spreadsheet above containing names, addresses, and potentially other personal data. Once in spreadsheet form, it can be attached to an email, printed, or downloaded onto a memory stick - out of the building it can go. Charities must also be alert to the risk that data can be accessed through its website if the databases it uses are linked in some way; membership charities for example.
What, therefore can you do? It is possible to block emails that contain certain types of information through Outlook or other email software, although care must be taken not to use restrictions that would limit your ability to continue to function. It is always good practice to reinforce data security policies, procedures and practice annually, but perhaps more simply reviewing the ability to transfer data into excel, restricting those who can do so, and requiring encryption of spreadsheets that are used to analyse such data is a good place to start. For those organisations that allow access to databases through the website, ensuring that your web provider has carried out suitable ‘penetration testing’ of the website will also provide additional comfort that your systems are as robust as you can make them. If third parties are used to process or cleanse personal or sensitive data, review contracts to ensure that relevant data protection clauses have been added and perhaps undertake due diligence activities.
To some organisations, a data security breach may feel like a remote risk but actually, a stolen laptop, lost memory stick, a misdialled fax number or mistyped email address can be all it takes and the precautions required are, in fact, relatively simple and easy to implement. We realise that this is one more job on your list, but sensationalism sells newspapers, and so this is a risk that should be addressed by all in possession data that they believe is personal, confidential or sensitive.
If you need assistance reviewing this area of your business please contact me or Simon Bulleyment, Director, haysmacintyre IT Consultants, by email sbulleyment@hmitc.co.uk or phone 020 7969 5675.
Richard Weaver
Head of Charities | 020 7969 5567
rweaver@haysmacintyre.com
Back to top