Warning as lockdown fraudsters target school academies

Multi-academy trusts should be on guard from fraudsters looking to exploit any weakening of internal controls during lockdowns.

Concerns have been raised by chartered accountants HWB, which advises academies trading as not-for-profit companies.

Academies are funded directly by government rather than by local authorities and are free to control their own finances, curriculum and term dates; trustees are responsible for performance.

Michaela Johns, a director at HWB, works closely as an external auditor with academies and independent schools across Dorset, Hampshire and Wiltshire.

She said: “There are many complex moving parts within multi-academy trusts, of which there are nearly 1,200 in England.

“Among them are internal controls, which have become even more important during the pandemic when many staff are working remotely from home and procedures may have slipped.

“Fraudsters are seizing the opportunity to attack IT systems and get through the weaker processes that might be occurring during these times.

“Internal financial controls reduce but do not always eliminate the risk of losses and it might be that is due to fraud or bad decisions or just human error.”

Michaela added: “Overall it is the trustees’ responsibility to establish, implement and monitor internal financial controls.”

She provided two real-life examples which academies should “tighten up” as a matter of urgency.

“The examples we have seen recently with internal controls have been around BACS fraud – a classic procurement problem.

“You get notification that your supplier, that you have worked with for many months, is changing their bank account details.

“This change should not just be processed on an email – you should make sure you make a call to someone you know at the organisation and confirm it. Also get it confirmed on the company letterhead.

“When you present that payment run for approval, you can show whoever is approving the payment run the fact that the bank account and sort code have been looked at, checked and proved that change is valid.

“We have seen large sums of money being paid, perhaps for a building project, going off to the fraudsters instead. Controls must be rigid.”

Payroll is another area which can be attacked currently, Michaela cautioned.

“This tends to be an insider fraud.

“Many trusts outsource their payroll provision, but this is a good time for them to review processes if they get a new person on to the payroll.

“They need to check HR is separate from finance – the new person coming on the payroll is an HR duty and running the BACS for the monthly payroll is a separate finance duty.

“If whoever is approving those BACS runs does not know the name on that list, they should speak directly to HR rather than the finance teams to ensure the person is a genuine employee.

“This risk can be mitigated by a good separation of duties check.”