The Charity Commission has published updated guidance on internal financial controls for charities, in an attempt to modernise the guidance and address cyber risks. The guidance is accompanied by an updated checklist for charities to measure their compliance with legal requirements and good practice on internal financial controls. The Commission recommends that charities review their controls at least annually, as well as on any significant (potential) change in a charity’s operations, structure or finances. The revised guidance provides a good starting point for such a review.

Trustees rely on good internal financial controls to ensure that they fulfil their legal duties to protect the charity’s assets and to make well-informed financial decisions. Sound financial controls can also flag to trustees any risks or illegality, such as potential fraud, theft, tax evasion or money laundering. Poor financial awareness and systems can damage both a charity’s ability to carry out its work and its reputation, with the Charity Commission frequently publishing inquiries into charities concerning financial impropriety or poor accounting (see most recently the Charity Commission’s inquiry into the religious charity Keren Shmuel over its failure to submit accounts).

This is the first time that the guidance has been updated since it was published in 2012. The updates are intended to make the 30-page guidance more concise and clear, but also more comprehensive. In particular, they extend the guidance to tackle new cyber-security concerns, as well as more traditional financial risks. This is in the context of the Government’s cyber security breaches survey 2023 revealing that 24% of charities have experienced a cyber-attack in the last 12 months. For further information about the results of the survey, please see Emma Watt and Steven Brunning’s recent blog post.

Some of the updated guidance may seem quite niche, such as the guidance on accepting donations of cryptocurrencies and so-called non-fungible tokens, but it also covers more mainstream concerns including:

• internal controls for making payments on behalf of your charity;
• fundraising and public collections;
• paying people who are connected to the charity (e.g. paying trustees);
• the risks of sending funds overseas;
• a new section on accepting hospitality (e.g. invitations to networking or fundraising events); and
• the risks of accepting donations through mobile payment systems, like Apple Pay.

Trustees are encouraged to review the guidance and the checklist and to ensure that all staff, not only the board, are aware of its recommendations. Trustees may tie in a review of their internal financial controls with a review of their fraud prevention procedures, in line with Edwina Turner’s recommendations in her recent blog post on the proposed offence of failing to prevent fraud.

If you are concerned about your charity’s internal financial controls, feel free to contact our charities team for further advice.