CC8 guidance update: what you need to know
Alison Jones, senior associate in our sports, education and charities team, discusses the Charity Commission’s recent update on internal financial controls to help manage risks.
Background
If you haven’t recently reviewed your internal financial controls, then now is the time!
Just last month, the Charity Commission updated its “internal financial controls for charities” guidance (known as “CC8”) and supplemental checklist.
The guidance is intended to help trustees protect their charity’s investments and assets (e.g. money, data, property), get the most out of their resources, and protect them against risks.
What is classed as a ‘risk’?
“Risks” include more traditional risks such as fraud, making payments to related parties, accepting hospitality, and operating overseas, as well are newer risks arising from the latest technologies (e.g. donations of cryptoassets) or mobile payments systems (e.g. Google Pay and Apple Pay).
With 24% of charities having experienced a cyber-attack in the last 12 months, as identified in the Government’s cyber security breaches survey 2023, protecting against these newer risks is becoming increasingly important. After all, prevention is better than cure.
It is therefore surprising that a survey carried out by the Charity Commission last year found that just under half of the charities surveyed have a formal policy in place to manage the risks facing charities online.
Some top tips
Some of the tips from the Charity Commission’s updated guidance are listed below.
Operational and banking
Make sure your charity:
- Complies with the UK GDPR and has suitable policies in place in that regard.
- Has suitable software to protect against viruses and hacking.
- Has transparency policies and procedures to protect against bribery and corruption.
- Uses a dual-authorisation system for its bank or building society accounts. A dual-authorisation system allows one person to create a payment request and another to authorise it.
Income and expenditure
Make sure your charity:
- Has a policy on donations which includes, for example (i) when and how donor checks are carried out; (ii) how to report and handle suspicions about donations; (iii) whether to accept donations of cryptoassets and how these are handled.
- Considers asking for card payments instead of cash at fundraising events. Card payments can be more secure
- Only buys things it needs and within budget.
- Only pays for goods or services it receives and at agreed prices.
- Has a clear policy for the use of payment cards which covers, for example, who can use them and spending limits.
- Has a policy setting out the rules for payment of expenses (if your charity does indeed pay expenses). It should include how to make a claim and what evidence a person needs to submit.
- Makes grants in line with its purpose and policies, and that the grant is used correctly.
Payments to related parties
Ensure your charity has specific authority to make any payments to a person or organisation connected to the charity, and complies with any rules in its governing document about paying trustees or paying people or organisations connected to trustees.
Trustees must be satisfied that it is the charity’s best interests to make these types of payments.
Loans
Only make loans where it is in your charity’s best interests. Loans should be repayable on commercial terms, unless lending on other terms would further the charity’s purposes.
Before the charity makes a loan, it should follow a proper process to make sure, for example, a formal recorded decision is taken to approve the making of the loan and the reasons, and the trustees are satisfied that the recipient can repay the loan.
Hospitality
Your charity must demonstrate that any hospitality given or received is justified and is not detrimental to either the charity’s beneficiaries or its reputation.
The charity should have a policy which, for example, (i) sets out acceptable limits on hospitality; (ii) prohibits accepting hospitality, which either is, or could be seen to be, a bribe, a corrupt payment or to secure preferential treatment.
Depending on its size and complexity, your charity should also have an internal audit function and/or audit committee to look at the effectiveness of the charity’s financial controls.
What does this mean for your charity?
For those charities which feel that they already have suitable financial controls in place, it is worth remembering that, whilst your trustees remain responsible for your charity’s financial management and for implementing and monitoring your charity’s internal financial controls, you must make sure that everyone in your charity understands and follows them. Training and awareness is key.
For more information on anything covered in this article, or for more general queries related to charity law, contact Alison at [email protected] or on 0191 211 7930.