CC8 for UK Charities: The Practical Implementation Guide
The Charity Commission's CC8 guidance tells you what internal financial controls your charity needs. It does not tell you how to actually put them in place without swallowing your finance team. This guide does — section by section, with the gaps auditors actually find.
“Trustees are personally responsible for managing their charity's resources responsibly. Putting in place appropriate internal financial controls is part of meeting that responsibility.”
— Charity Commission, CC8
Free CC8 Self-Assessment
30 questions, 7 minutes. Scored against each CC8 section so you know exactly where to focus.
The UK charity sector turns over more than £80 billion a year. CC8 — the Charity Commission's guidance on Internal Financial Controls for Charities — is the single document trustees, finance leads, and independent examiners reach for when something looks wrong. It was last refreshed by the Commission in November 2024, with new sections on digital payments and cyber risk.
This guide is a practical companion to the official version. It walks through what CC8 actually requires, what auditors look for in each area, and the four gaps that most commonly appear in independent examination reports. At the end, there's a free 30-question self-assessment your team can run in under ten minutes.
Who this is for: charity finance directors, treasurers, finance managers, and trustees with financial oversight. Useful for independent examiners too.
What is CC8?
CC8 is the Charity Commission's guidance document titled Internal Financial Controls for Charities. It explains the controls trustees are expected to put in place to protect their charity's assets, prevent fraud and error, and run accountably.
It was last updated in November 2024, with expanded sections on digital and mobile payments, cyber risk, and overseas operations. The earlier 2012 version is still widely cited — be careful: a few of its specific recommendations are out of date.
CC8 applies to all registered charities regulated by the Charity Commission for England and Wales — not just the large ones. The expectations scale with the charity's size and risk profile, but the underlying principles apply equally to a £200k community charity and a £15m national one.
Legally required
Keeping “proper” financial controls — the statutory duty comes from the Charities Act 2011 and trustees' general duties.
Recommended good practice
Most of the specific control activities in CC8 — they are expected by examiners and the Commission, but not line-by-line in the Act itself.
The official guidance is at gov.uk — Internal Financial Controls for Charities (CC8). Keep it open while you read this guide.
Why CC8 matters more in 2026
The November 2024 refresh wasn't cosmetic. Four pressures have made internal financial controls more important — and harder to run on goodwill and spreadsheets.
Digital payments and dual authorisation
CC8 now explicitly addresses Apple Pay, Google Pay, and similar one-tap payment methods. These are designed for speed, not control. If your charity allows mobile payments on cards held by individual staff, you need a documented process that brings dual authorisation back into the workflow — even when the underlying technology removes it by default.
Cyber-crime and phishing risk
Roughly a quarter of UK charities reported a cyber-attack in the most recent Cyber Security Breaches Survey. The most common attack against charity finance teams is an emailed “invoice” or supplier bank-detail change request from a spoofed address. CC8 now treats verifying changes to supplier payment details as a baseline control, not an optional one.
Trustee personal liability
Trustees are personally responsible for managing the charity's resources prudently. In serious cases of mismanagement, that responsibility is enforceable. CC8 is the document the Commission points to when assessing whether trustees met their duty of care over financial controls. If your trustees haven't actually read it, that's a problem before any incident occurs.
Audit and independent examination scrutiny
Examiners are increasingly asked to comment on the design and operation of controls — not just on whether the numbers add up. A clean set of accounts no longer guarantees a clean report if the controls behind them are weak. CC8 is the reference standard examiners use to make that judgement.
The seven core areas of CC8
CC8 is structured around seven areas of financial activity. For each: what the Commission expects, a worked example, and the gap most charities have.
1. Governance and oversight of financial controls
Trustees own financial controls — they cannot delegate the responsibility, only the execution. CC8 expects a written financial controls policy, regular trustee oversight (typically through an audit or finance committee), and a clear scheme of delegation showing who can authorise what, and up to what value.
Example: A medium charity might authorise the finance manager up to £5,000, the CEO up to £25,000, and require two trustees above that. Limits should be written, dated, and signed off by the board.
Common gap: Delegation limits exist in someone's head, or in a 2018 finance policy that nobody has reopened.
2. Income, banking, and cash handling
All income should be recorded promptly, banked intact, and reconciled to the underlying activity — donations, grants, trading, investments. Cash handling (still common at events and in community charities) needs two people present from collection to banking.
Example: Event cash should be counted by two people, recorded on a tally sheet both sign, banked the next working day, and tied back to the event in the accounting system.
Common gap: Restricted grant income recorded as unrestricted, then quietly fixed at year end. A control failure even if the numbers eventually reconcile.
3. Expenditure and procurement controls
This is the area examiners pay most attention to — because it is where most charity money flows out and most charity fraud happens. CC8 expects authorisation before commitment, separation of the person who orders from the person who pays, and an audit trail for every transaction above a defined threshold.
Example: A purchase over the delegation limit should be authorised in writing before the order is placed — not retrospectively when the invoice arrives. The authorisation should be visible to the person processing the payment, and stored somewhere an examiner can find it twelve months later.
Common gap: Approvals scattered across Outlook threads. The trail exists but is unfindable. Systems that enforce dual authorisation at the point of order — like ProcurementExpress — remove the risk of single-person sign-off without requiring manual policing.
4. Staff expenses and reimbursements
A small line item in the accounts and a large proportion of charity fraud cases. CC8 expects a written expenses policy, line-manager approval before payment, receipts for every claim, and explicit rules for senior staff (whose claims are usually approved by a trustee, not a peer).
Example: The CEO's expenses should be approved by a designated trustee, with a clear record of what was reviewed. “CEO approves their own” is a hard fail.
Common gap: No written policy. Staff and trustees end up improvising case-by-case.
5. Fraud, bribery, and corruption prevention
CC8 expects a documented anti-fraud and anti-bribery policy, a route for staff to report concerns confidentially, and trustee oversight of fraud risk. It also expects you to report serious incidents to the Charity Commission and, where relevant, the police.
Example: A whistleblowing route that bypasses line management — usually a trustee contact or an external service — so a finance assistant who suspects their manager has somewhere to go.
Common gap: Policy exists, never reviewed, no one is sure who the trustee contact is.
6. Operating overseas
Overseas activity layers on extra risk — currency, sanctions, partner due diligence, cash transfers to higher-risk jurisdictions. CC8 expects controls proportionate to that risk, partner-level due diligence, and a clear policy on how funds are transferred and accounted for.
Example: Documented sanctions screening before any new overseas partner is paid; a defined limit above which cash transfers require trustee approval.
Common gap: Sanctions checks done once at partner onboarding and never refreshed.
7. Cyber security and digital payments
The newest material in CC8. Expectations: multi-factor authentication on finance systems, a process for verifying supplier bank-detail changes by an independent channel (phone call, not reply-email), and cyber-incident response that includes the finance team — not just IT.
Example: When a supplier emails new bank details, finance calls the supplier on a number held on file (not the number in the email) before anything changes in the system.
Common gap: Bank-detail changes made on the word of an email. Direct route to a successful phishing attack.
The four controls every charity gets wrong
From the patterns that show up in audit reports and Commission case studies, these are the four CC8 controls that fail most often.
1. Single-person purchase authorisation
What CC8 says: The person who orders should not be the person who pays. Material expenditure needs more than one authorising signature.
Why charities miss it: Small finance teams. The same person logs the invoice and processes the payment because there are only two people in the function.
What good looks like: Dual authorisation enforced by the system — not by a colleague remembering to check. Where headcount is genuinely too thin, an independent trustee reviewer countersigns over a defined threshold.
2. Undocumented delegation limits
What CC8 says: Authority limits should be written, board-approved, and known to the people who use them.
Why charities miss it: Limits get set during a budget meeting, recorded loosely, and drift over time as roles change.
What good looks like: A one-page scheme of delegation, reviewed and signed off by trustees annually, visible to every approver. Approval workflows that automatically apply delegation limits remove the remembering-them part.
3. Weak supplier verification
What CC8 says: Charities should verify the identity and details of suppliers before payment, and re-verify when payment details change.
Why charities miss it: Supplier onboarding happens in an inbox. New suppliers are paid on the strength of an emailed invoice and a verbal “they're fine, we worked with them before”.
What good looks like: A vendor record created and approved before any PO can be raised, with bank-detail changes triggering a re-verification step.
4. Audit trail held in email and spreadsheets
What CC8 says: Charities should keep contemporaneous, complete records of the authorisations behind each transaction.
Why charities miss it: Approvals happen by email and on Slack. The audit trail exists in principle, but reconstructing it at year-end takes weeks.
What good looks like: An immutable activity log tied to each PO and invoice, exportable for the independent examiner in one click. The examiner can spot-check ten transactions without ten email searches.
Your CC8 implementation roadmap
A realistic ninety-day path for a finance team that already has a day job. Adjust to your size and starting point.
Self-assessment and gap analysis
Run the CC8 self-assessment with the finance lead, the CEO, and at least one trustee. Score each section. Identify the three weakest areas.
Policy review and trustee sign-off
Update or write the financial controls policy. Set delegation limits. Get the board to formally approve. Minute the decision.
System and process changes
Move single-person approvals to dual authorisation. Formalise supplier onboarding. Move the audit trail off email and spreadsheets onto something exportable.
Annual review
Re-run the self-assessment at least annually. Report results to trustees. Refresh whenever the Commission updates CC8.
CC8 FAQ
Is CC8 legally binding?
CC8 is guidance, not law. The legal duty to keep proper financial controls comes from the Charities Act 2011 and trustees' general duties. CC8 explains what the Charity Commission expects trustees to do to meet that duty — so in practice, ignoring it leaves you exposed.
Does CC8 apply to small charities?
Yes. CC8 applies to all UK registered charities regulated by the Charity Commission for England and Wales. The expectations scale with the charity's size and complexity — a £200k charity is not expected to have the same controls as a £15m one, but the principles still apply. Charities in Scotland (OSCR) and Northern Ireland (CCNI) have separate regulatory regimes; the CC8 principles are a useful reference, but check your own regulator for the binding equivalent.
How does CC8 relate to SORP and the Charities Act?
The Charities Act 2011 sets the legal framework. SORP (Statement of Recommended Practice) governs how charities prepare their accounts. CC8 sits between the two and describes the internal financial controls trustees should put in place to operate within both.
What's the difference between CC8 and an audit?
CC8 is about prevention — the controls you run year-round. An audit (or independent examination) is the after-the-fact check that those controls worked. Strong CC8 implementation makes the examination cheaper, faster, and less stressful. Charities with income over £1m typically require a statutory audit; those between roughly £25k and £1m usually require independent examination. Verify the current thresholds against the Commission's published guidance before relying on them.
How often should we review our financial controls?
Trustees should review controls annually as a minimum, and after any significant change — new funding stream, leadership change, system migration, or a fraud incident. Many charities tie the review to their annual report cycle.
Further reading
Charity Commission CC8 (official)
The full Commission guidance on internal financial controls. Updated November 2024. Read alongside this guide.
Read on gov.ukCyber Security Breaches Survey
UK government's annual survey of cyber-attack rates across businesses and charities. Source for the charity-sector cyber-attack stat cited above.
Read on gov.ukCluster guides (coming soon)
- Segregation of duties in small charities — when you only have three finance staff
- Dual authorisation for charity payments — step-by-step
- Charity expenditure controls — what CC8 requires in practice
- Staff expenses — the controls auditors actually check
- Charity fraud prevention — the top five risks and how CC8 addresses them
- Trustee financial responsibilities under CC8
- Preparing for independent examination — a CC8-aligned checklist