Introduction to charity sector

This guidance discusses charities and the regulatory environment within which they operate, as well the prominent risks and issues facing charities in today’s world.


What is a charity?

A charity in England and Wales is defined, by law, as an organisation which has an exclusively charitable purposes, and is regulated by the High Court’s charity law jurisdiction. As part of this, charities must prove they exist for the public benefit. Charities are governed by a range of laws and regulations no differently to most organisations. For example, the GDPR, Employee and Health and Safety legislation, but charities have their own legislation which they must adhere to. Namely the Charities Act 2011.

Specifically, the Charities Act 2011 defines a charity as an institution which:

(a) is established for charitable purposes only, and

(b) falls to be subject to the control of the High Court in the exercise of its jurisdiction with respect to charities.


What are the different types of charities?

Charities of all sizes exist and exist for a range of different purposes. Many of the largest charities in the United Kingdom generate hundreds of millions of pounds of income per year with some generating over £1bn of income per year (for example, the British Council earned £1.25bn income in its 2018/19 financial year).

The objectives of a charity can range from providing humanitarian relief to being a professional membership organisation. Others include a focus on technology, health, animals, medical and social research and a wide range of other topics.

The Charities Act lists 13 ‘descriptions of purposes’

The ‘descriptions of purposes’ are a list of broad headings that a purpose must fall under to be a charitable purpose (legal requirement). Each description serves as a general heading under which a range of different charitable purposes fall. The list of descriptions of purposes, taken with the range of purposes that fall under each description, covers everything recognised, or which may be recognised, as charitable in England and Wales.

The 13 descriptions of purposes listed in the Charities Act are:

(a) the prevention or relief of poverty

(b) the advancement of education

(c) the advancement of religion

(d) the advancement of health or the saving of lives

(e) the advancement of citizenship or community development

(f) the advancement of the arts, culture, heritage, or science

(g) the advancement of amateur sport

(h) the advancement of human rights, conflict resolution or reconciliation or the promotion of religious or racial harmony or equality and diversity

(i) the advancement of environmental protection or improvement

(j) the relief of those in need, by reason of youth, age, ill-health, disability, financial hardship or other disadvantage

(k) the advancement of animal welfare

(l) the promotion of the efficiency of the armed forces of the Crown, or of the efficiency of the police, fire and rescue services or ambulance services

(m) any other purposes currently recognised as charitable or which can be recognised as charitable by analogy to, or within the spirit of, purposes falling within (a) to (l) or any other purpose recognised as charitable under the law of England and Wales.


How do you become a charity?

The Charity Commission in England and Wales (“CCEW” “The Charity Commission” “The Commission”) sets out the 6 main steps to becoming a charity:

  • find trustees for the charity - you usually need at least 3 (who are essentially non-executive directors)
  • make sure the charity has ‘charitable purposes for the public benefit’
  • choose a name for the charity
  • choose a structure for the charity (charitable company, charitable incorporated organisation, charitable trust, unincorporated charitable association)
  • create a ‘governing document’. Refer below for more information
  • register as a charity if the annual income is over £5,000.

What does charity governance look like?

Every charity must have a governing document. A charity’s governing document is a legal document which sets out:

  • its charitable purposes (‘objectives’)
  • what it can do to carry out its purposes (‘powers’), such as borrowing money
  • who runs it (‘trustees’) and who can be a member
  • how meetings will be held, and trustees appointed
  • any rules about paying trustees, investments and holding land
  • whether the trustees can change the governing document, including its charitable objectives (‘amendment provisions’)
  • how to close the charity (‘dissolution provisions’)

Trustees have overall control of a charity and are responsible for making sure it’s doing what it was set up to do. They may be known by other titles, such as:

  • directors
  • board members
  • governors
  • committee members

Trustees are the people who lead the charity and decide how it is run. In additional to the board of trustees, there is typically an executive or management team (chief executive, finance director, IT director, etc.) who run the organisation and report into the board of trustees.

The need for effective governance arrangements within charities is at its highest due to the complex nature of many charities’ operations, and the risks attached to those operations. Heightened media and public scrutiny are also resulting in charities ensuring that their governance arrangements are robust, with a particular focus on transparency.

There is a range of best practice available to an organisation on effective corporate governance. 

For charities, there is the Charity Governance Code, which was created through collaboration between a range of charity focused organisations and the creation of a steering group.

These included:

The Charity Commission was an observer on the group which developed the Code.

This Code is considered to be best practice within the sector.


Who regulates charities?

Charities are subject to a range of regulatory oversight, including the Information Commissioners Office, the Health and Safety Executive, etc. But the key regulator is the Charity Commission for England and Wales (“CCEW” or “the Commission”). The Commission is an independent, non-ministerial government department accountable to parliament. 

The Commission is the regulator of charities in England and Wales and maintains the charity register. As the regulator, it is responsible for maintaining an accurate and up-to-date register of charities. This includes deciding whether organisations are charitable and should be registered. They also remove charities that are not considered to be charitable, no longer exist or do not operate or have been considered to have acted inappropriately and the Commission considers them no longer fit to act as a charity.

Any member of the public can access the register to determine whether an organisation is a bona-fide, registered charity.

Similarly, there is a charity regulator in Scotland, the OSCR, where the same principles apply. Most of the charities that operate in England, Wales and Scotland are registered with OSCR and with the Commission. These are known as ‘cross-border’ charities.

Under a Memorandum of Understanding, OSCR and CCEW operate effective information sharing and joint working arrangements.

OSCR and CCEW work on a ‘lead regulator’ basis for cross-border charities to reduce the regulatory burden. This means that CCEW will be the lead regulator for cross-border charities and in general will take responsibility for dealing with concerns about cross-border charities, unless the concern relates to a Scottish specific matter that OSCR would be best placed to look at. There may be some circumstances where a joint inquiry is appropriate.

This does not mean that cross-border charities must only report to CCEW. All charities registered in Scotland must fully comply with the requirements of Scottish charity law.

Both regulators have similar regimes in terms of when charities should report certain events and incidents to them. CCEW calls this ‘serious incident’ reporting (refer below for further information), while OSCR refers to it as ‘notifiable events’. Cross border charities are required to report to CCEW, but do not need to also report the incident/event to OSCR.


Reporting serious incidents

The Charity Commission requires charities to report serious incidents. If a serious incident takes place within a charity, it is important that there is prompt, full and frank disclosure to the Commission. The Charity is required to report what happened and, importantly, let the Commission know how the charity is dealing with it, even if they have also reported it to the police, donors, or another regulator.

A serious incident is an adverse event, whether actual or alleged, which results in or risks significant:

  • harm to a charity’s beneficiaries, staff, volunteers, or others who come into contact with a charity through its work
  • loss of a charity’s money or assets
  • damage to a charity’s property
  • harm to a charity’s work or reputation.

For the purposes of the guidance by the Commission, ’significant’ means significant in the context of a charity, taking account of its staff, operations, finances and/or reputation.

Charities should have a serious incident reporting policy and procedure in place which details when and how a report should be made, and the internal escalation and approval processes which should be followed prior to the report being made.

The responsibility for reporting serious incidents rests with the charity’s trustees. In practice, this may be delegated to someone else within the charity, such as an employee or the charity’s professional advisers.

However, all trustees bear ultimate responsibility for ensuring their charity makes a report and does so in a timely manner.

If they decide not to make a report about something serious that has happened in a charity and the Commission later becomes involved, the trustees will need to be able to explain why they decided not to report it at the time.


What risks are charities facing?

Charities are facing unprecedented regulatory requirements. Equally, charity operations are as complex and diverse as they have ever been.

Charities face a number of complex risks, including in areas such as:

  1. Safeguarding: If a charity works with or around children and vulnerable adults, having strict safeguarding policies and procedures in place is fundamental. Such risks materialising have significant health and safety, regulatory and reputational impacts.
  2. Volunteer management: Volunteers make a difference in a whole range of settings and organisations from small volunteer led community groups to larger national and international charities. Many charities are highly dependent on volunteers to enable them to deliver their charitable objectives. There is therefore a need to ensure that there is robust onboarding, management, and training processes in place in relation to volunteering, including the ability to remove volunteers if their behaviour is inappropriate or detrimental to the charity’s reputation and purposes.
  3. Fundraising: Fundraising practices have been subject to considerable external scrutiny in recent years, with a Fundraising Regulator created in 2016. A Code of Fundraising Practices was created, which was effective from October 2019, which all charities must adhere to. The Regulator is also responsible for investigating complaints from members of the public about fundraising practices if these cannot be resolved by the charities themselves. Breach of fundraising practices often result in significant reputational risks to charities.
  4. Retail: Many large charities have significant retail estates (one of the leading charities in the UK operates over 700 charity retail shops) which carry a number of risks in relation to use of volunteers (refer above), Health and Safety, and, often, an inherent risk of fraud of inventory or cash; in particular where Electronic Point of Sale (EPOS) systems are not used and inventory is not bar coded.
  5. Data protection: Many charities handle significant amounts of data and information. This includes data about their beneficiaries, their employees and volunteers, and their supporters. New technology and the rapid growth of social media has resulted in an exponential growth in this data. Like any organisation, it is important that a charity understands the scope and extent of their legal and regulatory obligations in relation to the data and information they hold; and in particular compliance with the General Data Protection Regulation (GDPR).
  6. Business Continuity (BC) and IT Disaster Recovery (ITDR): Due to the nature of the work of many charities, in particular those who work with vulnerable individuals, the need for robust BC and ITDR arrangements are fundamental in ensuring that the charity can continue its work on the front line.
  7. Fraud: Fraud is a huge risk to charities and can come in various forms, both internally and externally. Charities were in the past seen as an easy target due to the high levels of cash handled, however this cash fraud risk has reduced in recent years with the introduction of technology such as contactless, EPOS systems and on-line donations. The lack of robust financial controls within a finance department has resulted in basic financial frauds however, such as payment frauds (pretending to be the CEO and requesting a payment is a common fraud), fictitious amendments to bank account and supplier data and heightened use of social engineering.
  8. Financial sustainability: Given the pressures that charities are facing in the current environment, and in particular given the current pandemic, charities face a threat of not being able to continue to operate as a going concern. This is particularly relevant given the need for charities to ensure that they fundraise in line with requirements (see point 5 above) and therefore a more difficult fundraising environment than in the past.

What are the considerations for internal audit?

Charities are facing a number of complex risk areas, and therefore need robust polices, processes, procedures, and controls. In addition to the areas discussed above, other areas of risk include legacies, granting giving and receiving and the need for effective governance (which is discussed above).

The Charity Commission heavily recommends that charities have an internal audit activity in place, but do not make it mandatory. There is, therefore, a need for boards and their sub-committees (in particular an audit committee, or equivalent) to see the considerable benefit that internal audit assurance can provide over these risk areas.

In all areas of a charity’s activities, it is the responsibility of the trustees and management to identify and manage the risks.

Internal audit’s primary role is to provide objective and independent assurance that risks are being identified, assessed, responded to, and reported especially if they are potentially outside the risk appetite set by the trustees/board of the organisation.

In many organisations it is likely that internal audit will form part of an integrated assurance framework for monitoring or reviewing key risks. This is typically more prevalent in larger charities, those with complex operations and those who have international operations. Internal audit will therefore be one source of assurance within the three lines of defence.

It’s imperative that risk-based internal audit practices are followed, in order to focus the internal audit resource available on the key risk areas.

A key consideration when performing both risk-based annual audit planning, and the planning for the individual internal audit engagements, is what subject matter expertise is required in order to deliver the review. Where risks are complex within the charity, it is important that the internal audit team utilises subject matter expertise in the delivery of the audit, and that the individuals are competent to perform the work. This is particularly relevant in areas such as safeguarding, health and safety and complex IT risks.

Internal audit may play an advisory role where, providing it has the relevant capability and expertise, it can both challenge and work with management on its approach to managing specific risks, assist in workshops, etc.; providing that it remains independent and this role does not result in a potential conflict of interest in the future.

Other areas where internal audit could work with management could include:

  • enhancing culture through the targeting of poor areas of culture
  • providing advice to trustees and management on effective controls in specific areas
  • Facilitating the harnessing of technology and data to identify and target specific risk and control areas.

Other jurisdictions

Much of the content included above will be relevant to various jurisdictions, however some areas may differ, in particular in relation to legislation and regulatory responsibilities.

For example:

  • In Northern Ireland, the Charity Commission for Northern Ireland is the independent regulator of charities and operates under the Charities Act (Northern Ireland) 2008 and the Charities Act (Northern Ireland) 2013.
  • In Ireland, the Charities Regulator, Under Part 4 of the Charities Act 2009, has the power to appoint investigators to investigate the affairs of any charitable organisation and acts as the regulator to the sector.

Further reading

Chartered IIA - The Internal Audit Code of Practice for private and third sectors

The Charities Act 2011

The Charity Commission

Scottish Charity Regulator - OSCR

The Charity Governance Code Steering Group - Charity Governance Code

Fundraising Regulator - Code of Fundraising Practice

Gov.uk - Setting up a charity

Gov.uk - How to write a charity governing document

Gov.uk - Charities and risk management 

Content reviewed: 11 February 2021