Guidance

Internal financial controls for charities

Updated 26 April 2023

Applies to England and Wales

1. Why you need internal financial controls

Internal financial controls are important. They are essential checks and procedures to help you:

  • protect your charity’s assets, including its money and property
  • make informed decisions about your charity’s financial position
  • meet your legal duties, for example to manage your charity’s resources responsibly

Fraud and financial mismanagement can happen at any charity. Using suitable internal financial controls helps your charity:

  • identify and manage risks with its finances and assets
  • keep good quality accounting records
  • prepare timely and relevant financial information
  • make sure its financial reporting complies with the relevant legal requirements

Mismanaging your charity’s finances or assets can damage:

  • your charity’s financial viability, with consequences for how it delivers its services
  • your staff and volunteers’ morale
  • your charity’s reputation
  • public trust and confidence in charities

1.1 Who is responsible for your charity’s internal financial controls

You may choose to delegate the detailed work on financial controls to one or more trustees or to members of staff.

But all trustees remain responsible for their charity’s financial management and for implementing and monitoring their charity’s internal financial controls.

Make sure everyone in your charity understands and follows them.

2. General principles for all charities

2.1 Understand the type of controls appropriate for your charity

All charities need financial controls, regardless of size. They help to protect your charity’s assets and get the most out of your charity’s resources.

Your financial controls should cover:

  • all aspects of how your charity handles its resources and assets, including its money
  • how you store personal data in line with the UK General Data Protection Regulation (GDPR)

The types and levels of financial controls your charity needs will vary. For example, based on:

  • your charity’s size and structure
  • where your charity operates
  • what your charity does

Decide which controls are appropriate for your charity. Get professional advice if you are not sure, or if your charity’s activities are complex.

Your controls must follow any requirements in your charity’s governing document.

Use this guidance and our other guidance on making decisions and managing risks in your charity to help you identify which controls are suitable for your charity.

2.2 Understand your charity’s financial information

All trustees should have access to clear, accurate and up-to-date financial information, for example:

  • the latest management accounts. These usually report performance against budget and may include estimates for future periods
  • the reasons for any differences between your financial forecasts and the charity’s current financial position
  • details of cash flow and closing bank balances

Your charity’s financial position and performance should be:

  • a standing agenda item at trustee meetings
  • sent to each trustee before the meeting

Regularly reviewing the charity’s financial position can help trustees check that your charity is operating as a ‘going concern’ and isn’t facing insolvency. The earlier you can identify that your charity is in financial difficulties, the quicker you can act to protect your beneficiaries. Read Managing a charity’s finances: planning, managing difficulties and insolvency for more details.

As a trustee you should question things you don’t understand and highlight any concerns you have. The trustee body as a whole is responsible for your charity’s finances.

Many charities have a treasurer. The role of treasurer may vary, depending on the size of your charity. In smaller charities, the treasurer often has day-to-day responsibility for looking after your charity’s money and they report to the trustee body. In larger charities, the treasurer may work with the finance officer or a finance sub-committee.

Some charities choose to have a finance sub-committee. Large charities usually have one. This group gives more detailed consideration to financial issues, including internal financial controls.

All trustees must still understand their charity’s financial position and performance. The trustees remain ultimately responsible for all decisions. You should still make significant decisions as a full trustee body.

Make sure you have:

  • a record of the decision to form the sub-committee
  • clear and agreed terms of reference
  • clear and robust reporting procedures
  • lines of accountability

2.3 Preparing accounts and reports

You have a legal duty to keep accounting records for your charity and all charities must prepare annual accounts.

All registered charities must also produce a trustees’ annual report.

The content of the report and the format of the accounts varies depending on your charity’s income and structure.

You should make sure that when new trustees are appointed, they are given copies of:

Read Charity reporting and accounting: the essentials. This explains the accounting and reporting duties of trustees and what each type of charity is required to do.

2.4 Embedding internal financial controls

Everyone should follow your charity’s internal financial controls.

All trustees, and any senior management staff of the charity, should lead by example. They should follow all controls to help embed a culture of financial responsibility within your charity.

All trustees, staff and volunteers should be trained in your charity’s financial controls. This should include training on:

  • procedures to identify and report known or suspected financial crime or abuse
  • how to raise concerns about the conduct of trustees, senior managers or other staff

Make sure financial controls cannot be overridden by anyone.

2.5 Monitoring financial performance

You should monitor your charity’s financial performance on a regular basis.

Depending on the size of your charity, you can do this by:

  • comparing performance against financial policies, such as income reserve levels or investment performance
  • using ratio analysis, which your accountant or professional adviser will be able to advise on
  • monitoring your charity’s financial performance against a budget

A budget sets out planned income and spending for a future financial period, often a year.

To prepare a budget you should set proper and realistic estimates of income and expenditure for each:

  • area of your charity’s activities
  • financial year

You can then set your overall budget. All trustees should agree this before the start of the financial year.

All trustees, budget holders or operational managers should get regular financial information. This should explain any significant over or underperformance of income and expenditure plans.

2.6 Reviewing and monitoring your internal financial controls

Regularly review your charity’s financial controls to make sure they are still suitable. Do this at least once a year and always:

  • after a significant financial loss or narrowly avoided significant financial issue
  • before or after a significant change in how your charity operates, for example, a new structure or increased funding

Monitoring helps make sure that:

  • all controls including the basic ones such as bank and other reconciliations are carried out
  • everyone involved (staff and trustees) are aware of and are following the charity’s policies and processes, for example if they suspect there is a problem
  • your charity complies with its authorisation and approval procedures

You should keep records of your reviews and how you have responded to any issues you have found.

In larger charities you may use an internal or external auditor to review your processes. They should report the results to you. As a trustee, you will still need to ensure you understand your charity’s financial position and take the necessary action to address any issues or risks.

The charity should take immediate action if the review finds that anyone has misused the charity’s funds, or may be doing so.

You should also consider any new risks, for example because of changes to how you operate, or new threats such as new types of fraud.

2.7 Splitting financial duties between people

Make sure that more than one person is involved in all financial transactions. This means having a different person authorising a transaction to the person who made it.

In smaller charities it’s more likely that trustees will deal directly with most things. It is important that duties are split amongst all the trustees. This makes sure that one trustee is not overburdened or exercises sole responsibility.

If you cannot fully split duties due to a lack of people or money, you can manage the risk by:

  • all trustees reviewing transaction reports
  • checking that internal controls are followed and sharing the results with all trustees

2.8 Recording and reporting incidents

You should record any incidents of financial crime, abuse or breakdown of your charity’s financial controls.

You should also report it to other bodies depending on the type and level of the incident. Report:

Report any serious incidents to the Charity Commission. For example, a significant or potential loss to your charity’s money or assets.

Failure to report a serious incident to the Commission may result in regulatory action.

Auditors and independent examiners must report any matters of material significance to the Charity Commission.

3. Operational risks

3.1 Risks of fraud and cybercrime

Fraud poses a serious risk to your charity’s assets, including its data.

Most charities store information online. This can include card and personal details of donors, financial supporters, staff and suppliers.

The loss of personal or financial data could expose your charity and others to the risk of theft, fraud and loss.

You must make sure that your charity complies with the UK General Data Protection Regulation (GDPR) and any other relevant data protection laws.

You should make sure your charity has suitable policies in place which cover:

  • access, use, storage and processing of electronic data
  • the use of computers and data storage, such as cloud storage and memory cards
  • handling breach detection, investigation and reporting procedures

Make sure your charity has suitable software to protect against viruses and hacking.

Read Protect your charity from fraud and cybercrime for details on how you can manage these risks for your charity.

3.2 Risks when operating overseas

Charities working internationally will face extra challenges in:

  • transferring funds and
  • operating outside of the UK

Read Charities working internationally for more guidance on this.

3.3 Risks of corruption and bribery

All charities should have transparency policies and procedures to protect against bribery and corruption. These may include:

  • maintaining a register of interests for trustees and staff on your senior management team to identify any conflict of interest
  • having a policy on accepting hospitality
  • keeping a record of when hospitality is accepted
  • having a policy on making ‘facilitation payments’, which can be the norm in some areas

Read Bribery and corruption in charities for further guidance on this.

4. Internal financial controls for banking

4.1 Bank and building society accounts

Your charity should have a bank or building society account. This helps you protect your charity’s money and enables your charity to operate in a secure way. Any accounts should be in the name of your charity. They should match the name of your charity as written in your governing document.

The opening or closing of accounts should be either:

  • authorised by the whole trustee body or
  • delegated to a separate group who tell the trustees of any changes

You should make sure that:

  • you keep a list of all charity accounts
  • you close accounts which are no longer used
  • you regularly review the costs and benefits of your charity’s accounts, checking that any charges and interest rates are competitive
  • your bank or building society is regulated by the Prudential Regulation Authority. Check using the Financial Services Register on the Financial Conduct Authority’s website
  • duties are split to prevent any single person from being able to control charity funds exclusively
  • there is proper approval for bank transfers and payments
  • accounting records and bank statements are compared each month to make sure they reconcile
  • a second person reviews reconciliations in the charity to identify any discrepancies

Do not allow your charity’s bank accounts to be used for any individuals’, or third parties’, private use.

A bank mandate will set out who in the charity is authorised to manage the charity’s bank accounts. You should:

  • keep a clear record of who is named on your charity’s bank mandate
  • regularly review whether the bank mandate is appropriate for your charity
  • tell your bank of trustee changes
  • require dual authorisation to set up or change any bank mandate. The second person authorising any changes to the bank mandate should be a trustee

Your bank or building society must get authorisation from named people at your charity for any request to change the charity’s account details.

The named people should not be involved in reconciling bank statements or collecting income.

Read Charities: holding, moving and receiving funds safely for more detail on managing money.

4.2 Online banking

You should use a dual-authorisation system for your bank or building society accounts. Many banks and building societies provide this. It allows one person to create a payment request and another to authorise it.

Users should not share their security details with one another.

There are additional protections that can reduce the risk. For example, only allowing payments into previously authorised accounts.

You should also make sure that your charity:

  • keeps details of all online banking transactions
  • keeps statements as part of the accounting records
  • checks that the recipient is known and trustworthy
  • keeps all devices with access to online banking facilities secure
  • keeps all devices up to date with anti-virus, spyware and security system software
  • keeps all passwords and PINs secure
  • changes passwords periodically and following changes in authorised staff and trustees
  • provides training in online security to all people who use its computer systems

You should take appropriate care, such as not responding to emails or telephone calls asking for personal security details. Keep up to date with advice from your bank or building society about using online banking safely.

Use guidance from the National Cyber Security Centre for advice on keeping your charity protected online. UK Finance also has useful guidance on online payments.

4.3 Cash held in your charity’s bank or building society

Money held in your charity’s bank or building society accounts is sometimes called cash ‘held on deposit’.

You should make sure that your charity:

  • prepares monthly reconciliations for all accounts. A second person in your charity should review these reconciliations to identify any discrepancies
  • checks monthly that direct debits, standing orders and other transfers are correct
  • follows any requirements from the bank or building society

Accounts held by charities with banks and building societies authorised by the Prudential Regulation Authority may be protected by the Financial Services Compensation Scheme up to £85,000.

4.4 Banking cash and cheques

You should:

  • record and bank cash and cheques promptly
  • store cash and cheques you have not yet banked in a safe or locked cash box
  • bank funds gross, this means without deduction for costs or expenses
  • consider insurance cover for cash your charity may hold

4.5 Alternative banking methods

These include the use of money transfer facilities such as:

  • hawala
  • chiti
  • fei-ch’ien
  • hundi

Some charities work in areas where alternative banking methods are commonly used. Where you can, use regulated banking systems which tend to have stronger safeguards. Alternative banking methods may not have robust audit trails and so the risk of fraud can be higher.

If you cannot use regulated banking systems, you should help manage the risk by:

  • making sure you know and trust the person or body you are sending money to and carry out adequate due diligence checks
  • checking that an intended recipient has received the funds before using the same method again
  • having the same authorisation procedures as for regulated bank payments

Keep an audit trail for each transaction. This should include:

  • payment vouchers
  • post transaction documentation
  • details of the intermediary’s name and address
  • the amount and date of payment
  • the name of the person making the payment, the fee charged and the recipient/payee

You should have clear policies, agreed by the trustees, on when your charity will use alternative banking methods.

Read holding, moving and receiving funds safely for information and tools about using these methods.

5. Internal financial controls for income

5.1 Income from donations

You should have a policy on donations which includes:

  • when and how donor checks are carried out
  • how the charity keeps records of donations
  • how to report and handle suspicions about donations
  • whether you accept donations of cryptoassets and how these are handled
  • checks for any potential money laundering

Use Acceptance, refusal and return: A practical guide to dealing with donations by the Institute of Fundraising for more information on donations.

Read Due diligence, monitoring and verifying the end use of charitable funds for more information.

5.2 Tainted charity donations

This is where a donor appears to donate to get a financial benefit from the charity. Your charity may have to pay an income tax charge if it knew the purpose of the donation was for the donor to receive a personal financial benefit.

Read HMRC’s guidance on tainted charity donations for full details.

5.3 Donations from public collections and fundraising events

You must comply with the law which covers public collections and fundraising events. The rules are set out in our guidance Charities and fundraising (CC20).

You should consider asking for card payments instead of cash. Card payments can be more secure. Holding large sums of cash can leave your charity vulnerable to theft or fraud.

You should display the names of fundraisers you work with on your website. Encourage people to report any potentially fraudulent fundraising activity they see.

If you are collecting cash, you should make sure:

  • collection boxes are individually numbered
  • you record when collection boxes are given out and handed in
  • collection boxes are sealed before use
  • all collection boxes are opened regularly and the contents counted
  • you count public collections in front of the collectors and give them a numbered receipt
  • at least two people handle and record the cash
  • it is banked as soon as possible without deducting expenses
  • you keep records for each fundraising event
  • you identify how much has been collected and the costs incurred

If you sell tickets, you should make sure that:

  • they are numbered
  • you keep a record of who has which ticket number
  • you keep a record of sold tickets
  • you collect all money and any unsold tickets
  • you reconcile receipts against tickets sold

5.4 Income and donations received online and by card readers

There are a range of card readers and ways of receiving money online. Many charities use fundraising platforms.

You should make sure:

  • you keep card readers securely and they are maintained by authorised individuals
  • you use correct bank account details
  • you keep passwords secure
  • you understand when to expect payments so you can easily identify if there is an issue
  • you carry out regular reconciliations to match the transaction history with the income in your charity’s bank account

If your charity collects donations using card readers, you must comply with the Payment Card Industry Security Standards.

5.5 Income and donations received by post

Income received in the post should be:

  • held securely
  • opened promptly
  • accurately recorded

If you tend to, or expect to, receive donations through the post, whenever possible:

  • open post in the presence of a second person
  • rotate post-opening responsibilities between staff

If only one individual can open post, then use other controls. For example, compare the levels of donations you received from similar appeals or time periods.

5.6 Claiming Gift Aid on donations

Charities can claim Gift Aid on many donations from individuals.

Read HMRC’s guidance on for full details on the rules you must follow and on how to claim this.

You should also check that you receive:

  • expected amounts from committed donors
  • due tax repayments

5.7 Donations of cryptoassets

Cryptoassets are digital representations of value or rights that use blockchain technology. Cryptoassets include cryptocurrencies and non-fungible tokens (NFTs).

Cryptocurrency is a digital, or virtual, currency that you can trade or use to buy and sell things. Common forms are Bitcoin, Ethereum and Binance Coin, but there are many others.

Cryptocurrency is stored online on a blockchain. Blockchain is a digital ledger. It records who owns each cryptoasset and when they are transferred.

NFTs are digital assets that link ownership to unique physical or digital items, such as works of art, real estate, music, or videos. ‘Non-fungible’ means they are unique and not replaceable. NFTs are also stored on a blockchain.

There are many risks associated with cryptoassets, including:

  • the volatility of their value as this can change very quickly
  • potential fraud or theft by hackers
  • the lack of protection compared to traditional currencies or financial products – because cryptoassets are largely unregulated you are very unlikely to have access to the Financial Services Compensation Scheme (FSCS) or the Financial Conduct Authority (FCA) if something goes wrong
  • that laws on cryptoassets vary between countries – cryptoassets are banned in some countries and other countries have complex regulatory requirements
  • difficulty in tracing donors because donations of cryptoassets can be made anonymously
  • their limited use as few retailers accept them as payment
  • the environmental impact of cryptoassets and blockchain technology – many of these use a lot of energy and you should check how this fits with any environmental, social and governance policy you may have

You have a legal duty to manage your charity’s resources responsibly, including by implementing appropriate financial controls and managing risk.

Understand the risks of holding, and the limitations of using, cryptoassets before you accept donations of them. You should be certain you have the expertise to manage these risks carefully. If you hold any cryptoassets you should be prepared for them to lose their value.

If, despite these risks, you decide that your charity should accept donations of cryptoassets or use NFTs as a method of fundraising you should:

  • adopt a policy on accepting, refusing and using cryptoassets, including how you make decisions about converting them to traditional currency
  • if your charity is receiving donations directly in its crypto wallet, ensure the platform you are using is compliant with UK regulations and registered with the FCA for anti-money laundering and counterterrorism as required
  • keep accurate records of donations, storage and use
  • make sure you follow HMRC’s guidance on the taxation of cryptoassets
  • remember that you cannot claim Gift Aid on any cryptoassets
  • review the benefits to your charity of accepting cryptocurrency versus the risk
  • regularly review your policies on them

Read FCA and FSCS advice on the risks of using cryptoassets and seek expert advice if needed.

Use our guidance on Know you donor and consider whether you need new, or should review existing, policies on receiving anonymous donations.

The Code of Fundraising Practice is a useful framework for deciding whether your charity should accept cryptoassets.

5.8 Income from trading

Charities can trade to achieve their purposes or to raise funds.

The financial controls you need will depend on the type of trading your charity does. Your financial controls should make sure that your charity receives and records all its income from trading activities.

Where your charity itself undertakes the trading, you should have a pricing policy for goods and services you supply which you review often. You should also have procedures for:

  • invoicing for all goods and services you provide
  • stock control
  • reconciling invoice amounts and cash received to outstanding invoices

You should also regularly:

  • make sure that your trading stays within the relevant tax exemptions
  • review outstanding debts and debt collection procedures

Read Trustees trading and tax: how charities may lawfully trade for further information.

5.9 Income from legacies

There can be a long delay between being told of a legacy and receiving it.

You should:

  • keep a record of all expected legacies
  • keep a record of all related correspondence
  • regularly review progress on collecting outstanding legacies
  • ensure that any items or property left to the charity are held securely, valued and, if appropriate, sold so that the charity can use the income

6. Internal financial controls for expenditure

6.1 Expenditure on goods and services

Suitable controls help make sure that your charity:

  • only buys things it needs and within budget
  • only pays for goods or services it receives and at agreed prices
  • gets good value for money

You should:

  • have clear, written authority limits for placing orders and approving payments
  • make sure that any orders are within an agreed budget. Spending outside agreed budgets should be authorised
  • check invoices against orders and the receipt of the goods or services ordered
  • pay invoices on time and include any relevant discounts
  • make sure accounting records reconcile. As part of this, reconcile the purchase ledger (which should show what your charity has bought) with the purchase control ledger (which should show how much money you owe to suppliers at any time)

6.2 Payments by debit, credit or charge cards

You should have a clear policy for the use of payment cards which covers:

  • who can use them
  • spending limits
  • how they should be stored
  • where they can be used, such as only allowing them to be used in specific circumstances

When you issue a card to someone in your charity you should make sure they:

  • have a copy of your card policy
  • always ask for receipts, including for contactless payments
  • provide receipts for checking against account statements
  • return the card to the charity if their circumstances change, for example, they leave the charity

Your charity should make sure that:

  • card statements are sent to a different person than the card holder. For larger charities, statements should be sent directly to the finance team
  • all receipts and invoices are matched to statements
  • card use is regularly checked to make sure the charity’s policies are being followed

Your charity must make sure it cancels and destroys the relevant payment card if:

  • it is lost or stolen
  • the card holder is no longer involved with the charity
  • the authorisation of the card’s use is withdrawn

6.3 Mobile payment systems, such as Google Pay and Apple Pay

Mobile payment systems, such as Google Pay, Apple Pay and PayPal, let you pay for things without having to enter card details or personal details for every transaction. The payment details are in an individual’s digital wallet.

You should have the same controls in place as for payment by debit, credit or charge cards.

6.4 Payments by bank transfer, Bankers’ Automated Clearing Services (BACS), Direct Debits and standing orders

Bank transfers and BACS payments are payments by electronic transfer directly into an account. But they are difficult to recall in the event of errors or fraud.

Most banks use Faster Payment System (FPS) for transfers between accounts in the UK. Each bank imposes its own limit on the maximum value of a transfer by FPS.

A Direct Debit is a regular payment set up by the organisation which you are paying. The organisation has the power to amend or cancel it.

A Standing Order is a regular payment which you set up to pay other people or organisations, or to make transfers to your other bank accounts. You can amend or cancel it when needed.

You should:

  • only allow a limited number of authorised individuals to set up these types of payments
  • keep the list of authorised individuals securely
  • consider using dual authorisation to authorise a BACS payment
  • keep any documents setting up payments as part of your charity’s accounting records
  • monitor the payments regularly
  • cancel payments if your charity stops using the goods or services

Your charity may set up batch payment files. These make multiple payments to different recipients at the same time using an accounts software package. You should make sure that the payment files cannot be edited between being created and uploaded onto the online banking system.

6.5 Payments by cheque

You should have a clear policy on who can sign cheques on behalf of your charity.

Check whether your charity’s governing document requires two signatories on cheques.

Some charities allow for small-value cheques to be signed by only one individual. In larger charities, signatories may be senior employees.

Your charity’s policy on authority limits should apply to cheques.

You should:

  • keep cheque books in a secure place
  • regularly review authority limits
  • prohibit the signing of blank cheques
  • ensure prompt recording of payments in cash books, this should include details of the cheque number, nature of the payment and the payee
  • get confirmation that the goods or services have been received

6.6 Payments in cash or by pre-loaded cash card

Keep these payments to a minimum. They pose a higher risk due to a lack of electronic audit trail.

Pre-loaded cash cards should be treated as cash payments. We recommend these are not used due to a lack of transaction history.

You should make sure:

  • cash payments are for small amounts only and paid out of a petty cash float
  • details of payments are recorded in a petty cash book or online ledger
  • supporting documentation for the payment is authorised by someone other than the person who maintains the petty cash, or the person making the payment
  • you keep any petty cash and the records securely
  • an independent person carries out regular checks of the petty cash float
  • an independent person checks and authorises cash withdrawals

6.7 Paying wages and salaries

Paying wages and salaries can be a major item of your charity’s expenditure.

You must meet several legal requirements in this area, for example you must make sure that:

  • you maintain the records required by HMRC of PAYE deducted from the wages and salaries of employees
  • statutory deductions are paid to HMRC as required
  • pension contributions are paid to the pensions’ provider promptly
  • you meet any legal obligations relating to pensions, see the Pensions Regulator for full details on this
  • deadlines for year-end returns to HMRC are met including P35, P11D and P60
  • you complete the data required for ‘real time information’ submissions to HMRC and submit them on time
  • you follow the law on minimum wages
  • only authorised or required deductions are made from pay
  • each employee has a proper contract of employment
  • you comply with data protection requirements

Read HMRC’s guidance on PAYE and payroll for more information on your legal duties.

You should also make sure that your charity:

  • stores staff personnel records separately from pay records
  • has systems for promptly notifying and authorising those operating the payroll of starters and leavers; changes to pay, hours, overtime or non-standard hours; staff sickness or staff maternity or paternity leave
  • carries out periodic checks to make sure you are not paying people who are no longer employees, or paying existing employees the wrong salary
  • does not enable individuals to set their own pay, benefits or terms of employment
  • pays wages and salaries by BACS for safety and efficiency where staff numbers make this worthwhile

6.8 Payment or reimbursement of expenses

Expense payments are refunds of payments which a trustee, member of staff or volunteer has had to meet personally to carry out their duties for your charity.

If your charity pays expenses, you should have a policy that sets out the rules. It should include how to make a claim and what evidence you need to submit.

You should make sure that:

  • everyone within the charity knows and understands the policy. Include it as part of any induction programme you provide
  • someone who is not the claimant authorises the payment and checks it for accuracy
  • claims contain a self-declaration that the claim is accurate and incurred in connection with charity business
  • you pay claims in a secure way, such as by BACS transfer
  • any mileage rate for motor travel is within HMRC rates that do not result in a tax or national insurance liability for the charity or the claimant

Read HMRC rules on Expenses and benefits for employers.

6.9 Expenditure on grants

Suitable controls can make sure you make grants in line with your charity’s purpose and policies and that the grant is used correctly.

You should have a grant-making policy which sets out:

  • the conditions and restrictions for any grant
  • procedures for the review and approval of grant applications
  • how you will check the suitability of applicants
  • how you will make sure that grants have been used correctly

You can also set priorities for activities or projects your charity wants to fund.

Read Grant funding an organisation that isn’t a charity, which covers principles that are relevant to any charitable grant-giving.

Your charity may make payments to a person or organisation connected to your charity. Where that person is a trustee, or an organisation connected to a trustee, you must have specific authority to make the payment.

An organisation could be connected to your charity because it is a company that is controlled by one or more trustee.

These payments can be called ‘related party transactions’ and are defined in the Statement of Recommended Practice (SORP).

You must comply with any rules in your charity’s governing document about paying trustees or paying people or organisations connected to trustees.

You must also be satisfied that it is your charity’s best interests to make these types of payments. For example, you should not use a company controlled by a trustee to provide a service to the charity simply because it is the easiest option.

Read our guidance on trustee expenses and payments and managing conflicts of interest in a charity.

8. Internal financial controls for assets and investments

8.1 Tangible fixed assets

These include the following which are used during your charity’s activities:

  • land
  • buildings
  • vehicles
  • fixtures and fittings
  • equipment

As a trustee, you have a duty to safeguard your charity’s assets and make sure they are being used properly. Suitable internal financial controls makes sure that assets can be:

  • identified
  • recorded in accounting records
  • used for your charity’s purposes

You should make sure that your charity:

  • sets an amount at which small capital items should be included in the accounts as fixed assets
  • has a register of all fixed assets your charity uses, including the cost, or value, of each asset and have enough detail to enable each asset to be identified
  • regularly inspects fixed assets to ensure that they still exist, are in good repair and are being used appropriately
  • authorises the disposal or scrapping of fixed assets appropriately and records this in accounting records and in your fixed asset register
  • regularly reviews your insurance cover to make sure it is adequate
  • secures the boundaries of any land and buildings and makes sure they are recorded appropriately with the Land Registry
  • holds any title deeds to land securely and checks that the deeds accurately record your charity’s interest in the land

Charities that are trusts or unincorporated associations cannot hold fixed assets in their own name. They can either:

  • appoint holding or custodian trustees to hold the assets including land on the charity’s behalf or
  • use the Official Custodian for Charities (OCC) to hold land on the charity’s behalf

Holding or custodian trustees are appointed to hold property on behalf of a charity; they aren’t charity trustees. They must act on the lawful instructions of the charity trustees and in accordance with any rules in your governing document.

You must make sure that any documentation for fixed assets held by the OCC, or by holding or custodian trustees, makes clear that the property is being held on behalf of your charity and cannot be sold without the agreement of all the trustees.

Read our guidance on the Official Custodian for Charities for more information.

8.2 Intangible fixed assets, such as intellectual property rights

Your charity may have assets which are not physical. These can include:

  • electronic data
  • trademarks or logos
  • software your charity has developed

For electronic data you should:

  • maintain a record of all electronic data, including personal data, which your charity holds
  • understand who can access it and how they do so
  • make sure it is accurate
  • keep it securely
  • make sure that any personal data is held in compliance with GDPR requirements and other relevant legislation

For other intangible assets you should maintain a record of all assets which includes:

  • what form they take
  • who exercises oversight
  • arrangements for custody or protection
  • any licensing or agreements for third parties to use them
  • how you safeguard them

You should also make sure that any decisions on the exploitation, creation, or disposal of intellectual property are appropriately authorised.

8.3 Restricted funds and endowment funds

You must ensure you spend, manage and account for any restricted and endowment funds your charity has according to the rules.

Restricted funds are given to a charity for a specific, or restricted, purpose which is narrower than the purposes of the charity.

Endowment funds are types of restricted funds and may be expendable or permanent.

Depending on the conditions attached to the endowment, you may be able to spend some or all of the endowment.

Permanent endowment is property that your charity must keep rather than spend. There are two main types of permanent endowment:

  • money or other assets given to your charity for investment. Only the investment income can be spent
  • property given to your charity that must be used only for a particular purpose. For example, land or buildings given for use as a school or recreation ground

If your charity has permanent endowment, read our guidance and have suitable controls in place. Seek legal advice if you are unsure.

If your charity has restricted funds or endowment funds, your charity accounts should reflect each separate fund.

8.4 Investments

Many charities choose to invest funds. For some charities, this will be limited to using a high interest savings account. Choose the accounts that work for your charity’s needs.

Other charities invest in other ways, for example stocks or shares, or by making social investments.

Read Charities and investment matters: a guide for trustees (CC14) to understand the legal duties that apply when making investments.

9. Internal financial controls for loans

9.1 Making loans

You can only make loans where it is in your charity’s best interests. Loans should be repayable on commercial terms, unless lending on other terms would further your charity’s purposes.

Before your charity makes a loan, you should follow a proper process to make sure:

  • a formal recorded decision is taken to approve the making of the loan and the reasons. This is usually made by the trustees
  • you are satisfied that the recipient can repay the loan

If your charity decides to make a loan you should keep clear records of:

  • the amount and the terms of the loan
  • all repayments of interest and principal
  • any missed repayments
  • all outstanding loans the charity has made

Where a loan is made to a related party (see Statement of Recommended Practice (SORP) definition) such as a trustee, you must:

  • properly manage the conflict of interest
  • only make the loan on the proposed terms if it is in your charity’s best interests

You may choose to delegate the decision to make loans below a certain level to the Chief Executive, the Chief Finance Officer or a sub-committee of trustees.

If you are making loans to your beneficiaries or to other charities as a social investment, read Charities and investment matters: A guide for trustees (CC14) for further guidance.

9.2 Taking out loans, including loans from trustees

Before taking out a loan you should make sure that:

  • a formal recorded decision is taken to approve the charity taking out the loan and the loan agreement
  • all trustees are aware of its terms
  • your charity can repay the loan according to the loan agreement and a plan is in place to do so

Trustees must have considered that taking out the loan and the loan terms are in your charity’s best interests.

You should keep clear records of:

  • the amount borrowed
  • the terms of the loan and all relevant documentation
  • all repayments of interest and principal
  • any charges and any missed repayments
  • all outstanding loans and the outstanding balance
  • any loans secured or subject to bank covenants in your charity’s register of assets

If a related party, such as a trustee, loans the charity money you must also make sure that:

  • the conflict of interest is properly managed
  • if an interest rate or other fee is charged, that rate is justifiable and follows any requirements in your charity’s governing document

If your governing document does not include any rules about accepting an interest-bearing loan from a trustee, seek appropriate advice on whether you can agree it.

10. Internal financial controls for hospitality, including gifts

You must be able to demonstrate that any hospitality given or received is justified and is not detrimental to either your charity’s beneficiaries or its reputation.

You need to consider:

  • how it helps you deliver your charity’s work
  • whether it is reasonable
  • whether it gives rise to more than incidental personal benefit
  • whether it poses any risks to your charity’s reputation, including if it could be viewed by others as excessive or unnecessary

You should have a policy which:

  • sets out acceptable limits on hospitality
  • prohibits accepting hospitality, which either is, or could be seen to be, a bribe, a corrupt payment or to secure preferential treatment
  • requires records to be kept of hospitality given, accepted or refused. This should also be noted on your charity’s register of interests if it relates to trustees
  • applies to everyone
  • is understood by everyone

11. Internal audit functions and audit committees

Depending on your charity’s size and complexity, you may need an internal audit function and/or audit committee. This is different to a statutory or external audit.

11.1 Internal audits and audit committees

An internal audit looks at the effectiveness of your charity’s financial controls. It helps you identify and assess risks to your charity.

It should cover:

  • risks
  • controls
  • governance and assurance

It should advise on:

  • how your charity should manage and track risk
  • the completeness of your risk register

Internal audits can be carried out by charity employees or by external professionals appointed by the trustees. An internal audit is different from a statutory audit which expresses a view on whether your accounts show a ‘true and fair’ view.

Internal auditors should:

Internal auditors usually report directly to you as the trustees, or an audit committee set up by the trustees. They present reports and management letters that identify weaknesses in internal controls.

Use the Internal Audit Code of Practice by the Chartered Institute of Internal Auditors when reviewing how your internal audit is working.

You should make sure your internal audit committee has in place:

  • clear and agreed terms of reference
  • clear and robust reporting procedures
  • lines of accountability

If you do not have an audit function or committee because your charity is small you should:

  • regularly review whether an internal audit is needed
  • have other appropriate ways to check your internal financial controls are working

11.2 External audits

The law states which charities must have an external audit. This is a statutory audit completed by a statutory auditor.

Charities must also have an external audit if required by their governing document. There may also be other reasons that one is required, such as by a funder as a condition of funding.

The statutory auditor will give their professional opinion as to whether your charity’s accounts are ‘true and fair’. They do this by following standard procedures in accordance with International Standards on Auditing (UK and Ireland).

If your charity is required to have an external audit, you should have an internal audit committee.

Check Charity reporting and accounting: the essentials if you are not sure on your charity’s reporting and accounting duties.

12. Internal financial controls checklist

Use this internal controls checklist which provides a useful summary of what controls may be needed when reviewing your charity’s internal financial controls.

13.1 Money laundering

Money laundering legislation in the UK is mainly governed by:

The Terrorism Act 2000

The Anti-Terrorist Crime and Security Act 2001

The Proceeds of Crime Act 2002

13.2 Tax evasion

Corporate charities can be prosecuted where they fail to prevent the criminal facilitation of tax evasion carried out by an “associated person,” such as an employee, agent or other person who performs services for or on behalf of the charity. It is a defence for a charity to have put in place reasonable prevention procedures, or where it would be unreasonable to expect a charity to have put in place procedures, for example a very small charity.

Read HMRC’s guidance on The Criminal Finances Act 2017. This applies to corporate charities such as charitable companies, Charitable Incorporated Organisations, Royal Charter charities and statutory charities.