We help you give and we strengthen the causes you give to

Generosity is our cause

Submenu title


checklist and magnifying glass

CC8 – Internal Financial Controls for Charities Updated

Archie McDowall picture Archie McDowall
4 min

At the end of April 2023, the Charity Commission updated its guidance on internal financial controls for charities – known as CC8. Much of the guidance is unchanged from the previous version but, given that it is a number of years since the guidance was last published, it is perhaps no surprise that the main updates concern digital payments systems, cybercrime and crypto assets.

Digital Payments Systems

Digital payments systems refer to those systems such as ApplePay or Google Pay, where payments from a credit or debit card can be made without the card user having to enter card details or personal details for each individual transaction. Usually, the payment details are stored in an individual’s digital wallet on, for example, their mobile phone or tablet.

This increases the need to have a clear policy in place which covers who within the organisation is allowed to use the digital payment methods, what the spending limits are and in what circumstances such methods can be used. Where someone who has previously been an authorised user of the charity’s debit or credit card leaves the organisation, it is no longer sufficient to simply require the card to be returned, as the card details may still be stored on that person’s mobile device.

There is a risk that unauthorised payments could be made in the future, and it is therefore important that card statements are sent to someone other than the cardholder so that any unauthorised use can be quickly detected. It is probably worth asking the bank in question to cancel the current card and issue a new one whenever someone who has previously had access to the card leaves. This will render any details saved in a digital wallet unusable.

The Commission have said that charities should have the same controls in place for digital payments as they do for payment by debit, credit or charge cards. This will include dual authorisation for payments, and indeed dual authorisation needed for any changes to the bank mandate, that unused bank accounts should be formally closed, there should be a segregation of duties between those involved in the financial affairs of the charity, and a trustee other than the treasurer should have the ability to log into the bank account and review the transactions. CC8 also includes many other recommendations around banking and payments and is worth reviewing on a regular basis.


Cybercrime has massively increased in the last few years, with many examples of loss from phishing e-mails – some of which are very sophisticated. This is not the place to go into detail but one of the greatest risks for churches and small charities is a lack of awareness among staff and volunteers, combined with a lack of software defences. Reading this part of the guidance carefully, organising training and awareness among users and appreciating the value of dual authorisation on bank accounts really does help reduce this risk.

Crypto assets

The other major update to the guidance is in respect of crypto assets. While many charities might never come across donations of such assets, it is still worth being aware that guidance is available and should be referred to should such assets be offered by a donor.

The Commission reminds charity trustees of their legal duty to manage the charity’s resources responsibly. This means that trustees should understand the risks of holding and using such assets and, before accepting such donations, they should ensure that they have the expertise within the trustee body to manage the risks carefully.

Other matters

These are the main changes in the updated guidance, but we would recommend that all charity trustees regularly read the information available. Other topics covered in the guidance include the risks of fraud, public collection and fundraising (see the Code of Fundraising Practice), receiving donations online, wages and salary controls, reimbursing expenses, making loans and many more topics. The guidance really is a valuable resource for charity trustees, and anyone else who might be involved in charity finance, and should be referred to regularly.

Along with the updated guidance, the Commission has also issued an updated checklist which provides a useful summary of what controls might be necessary or recommended when reviewing a charity’s internal financial processes.


Quarterly emails for trustees, treasurers and Church and Charity Leaders. Practical tools, technical resources and expert guidance to safeguard your mission and ministry. 

Profile image of Archie McDowall
Written by

Archie McDowall

Archie joined our Accounts Examination Services team in 2020. Prior to this he was Deputy General Treasurer of the Church of Scotland and before that he managed the charity audit section of a firm of Chartered Accountants. Archie has been involved in advising treasurers and trustees of charities for many years and has also served as a trustee of various charities.

Archie and his wife Sarah live in Essex, where he preaches and leads worship in various different churches on a regular basis. Their daughter, son-in-law and two grandchildren live in Lancashire. In his spare time Archie enjoys going to the theatre.

Archie is passionate about the local church and the ways in which it serves its community and the most vulnerable on the margins of society. He recognises the importance of supporting volunteers within churches, particularly those who are facing pressures to comply with increasingly complex legislation on finance and governance.