Digital Reporting for Charities: What the Charity Commission Now Expects

The Charity Commission has been steadily raising the bar on reporting, transparency, and governance standards. The Annual Return has expanded. Serious incident reporting requirements have tightened. The expectation that charities can demonstrate compliance — not just claim it — is growing.

For trustees, this means the days of managing governance through email threads, shared drives, and annual paper exercises are over. Meeting the Commission's current expectations requires systems that track, evidence, and report.

This post covers what has changed, what the Commission now expects, and what technology your charity needs to meet those expectations.

What has changed in recent years

The expanded Annual Return

The Charity Commission's Annual Return now asks more questions than ever before. Beyond the standard financial data, charities must report on:

• Serious incidents — including cyber attacks, data breaches, safeguarding concerns, and significant financial losses
• Trustee declarations — confirming compliance with legal duties, conflicts of interest management, and safeguarding policies
• Risk management — whether the charity has identified and assessed major risks
• Fundraising practices — whether the charity follows the Fundraising Code of Practice

The trend is clear: the Annual Return is becoming a compliance declaration, not just an accounting exercise. Every question must be answerable from auditable records, not reconstructed from memory.

Tightened serious incident reporting

The Commission expects charities to report serious incidents "as soon as possible" after they are identified. This includes:

• Fraud or theft (actual or suspected)
• Cyber attacks and data breaches
• Safeguarding incidents
• Links to terrorism or extremism
• Significant financial losses
• Significant governance failures

The Commission's 2024 annual report noted an increase in both the number of serious incident reports received and the number of statutory inquiries opened. They explicitly state that under-reporting is a greater concern than over-reporting — charities should report anything that might qualify and let the Commission assess severity.

For charities, this means having systems that detect incidents quickly (automated alerts for unusual transactions, failed login attempts, data access anomalies), document them properly (timestamped records with full context), and enable rapid reporting (not a week of scrambling to compile information).

Governance Code expectations

The Charity Governance Code was updated in 2024. While voluntary, the Commission treats it as the expected standard. Key expectations:

• Board diversity and skills audits tracked and reviewed annually
• Risk registers maintained and reviewed regularly (not annually — regularly)
• Conflicts of interest declared and recorded for every decision
• Financial controls documented and tested
• Safeguarding policies in place, reviewed, and evidenced

Each of these requires structured record-keeping. A risk register on a spreadsheet that was last updated eighteen months ago does not demonstrate "regular review." A conflicts of interest log that exists only as meeting minutes does not demonstrate systematic management.

Where charities struggle with technology

Governance records scattered across systems

Board papers in email. Meeting minutes in Google Docs. Risk registers in Excel. Policy documents on a shared drive. Trustee declarations in a filing cabinet. When the Commission asks a question, answering it requires searching multiple locations and hoping nothing was lost.

A centralised governance platform — or at minimum, a well-structured document management system with consistent naming, versioning, and access controls — is the foundation for demonstrable compliance.

Financial reporting that takes weeks

Charities subject to SORP (Statement of Recommended Practice) accounting standards must produce accounts that meet specific formatting and disclosure requirements. Many charities still produce these manually, with finance staff spending weeks copying data from accounting software into SORP-compliant templates.

Modern accounting and reporting tools can automate SORP-compliant output, generate management accounts in real time, and provide the financial data needed for Annual Returns without manual extraction.

No incident detection capability

Most small and medium charities have no automated way to detect a cyber attack, financial anomaly, or data breach. They discover incidents when something visibly breaks — a staff member reports they cannot access their email, a bank flags an unusual transaction, a beneficiary contacts them about a suspicious communication.

By the time an incident is discovered this way, it has often been ongoing for days or weeks. The Commission's expectation of "as soon as possible" reporting is impossible to meet if detection depends on human observation.

Basic monitoring — failed login alerts, unusual transaction flags, data access logging — is affordable and available in standard business platforms like Microsoft 365. It just needs to be configured and reviewed.

Safeguarding without systems

For charities working with children, vulnerable adults, or people in crisis, safeguarding is paramount. The Commission expects charities to have policies, procedures, training records, DBS check logs, and incident records.

Many charities manage safeguarding through a combination of paper forms, spreadsheets, and individual knowledge. This makes it impossible to demonstrate systematic compliance. When a trustee changes, the institutional knowledge walks out the door. When the Commission asks for evidence, compiling it takes days.

A structured safeguarding system — DBS tracking with expiry alerts, training records linked to staff and volunteers, incident logging with timestamps and outcomes — turns safeguarding compliance from a burden into a by-product of normal operations.

What good technology looks like for charities

Proportionate to size

A £50,000 income charity does not need enterprise governance software. But it does need:

• A structured way to store and find board documents, policies, and minutes
• A reliable backup of all organisational data
• Multi-factor authentication on all accounts
• A clear record of who has access to what
• Basic financial reporting that meets SORP requirements

Microsoft 365 (available to charities at significantly reduced cost or free through the Microsoft Nonprofit programme) provides most of this out of the box — document management, email, collaboration, and basic security controls. It just needs proper configuration.

Connected, not siloed

For larger charities (£500,000+ income), the challenge is connecting systems. The CRM holds donor data. The finance system holds transaction data. The case management system holds beneficiary data. The HR system holds staff and volunteer records. None of them talk to each other.

The result is duplicate data entry, inconsistent records, and an inability to get a complete picture of the charity's operations. Integration — through APIs, middleware, or platform consolidation — is what turns disconnected systems into useful infrastructure.

Secure by design

Every system that holds personal data must be secured appropriately. That means:

• Individual accounts with MFA (no shared logins)
• Role-based access control (fundraisers do not need safeguarding records)
• Audit logging (who accessed what, when)
• Encryption at rest and in transit
• Regular backups with tested recovery
• Patching and updates applied promptly

These are not advanced security measures. They are the basics that Cyber Essentials certifies. Our Cyber Essentials guide for charities covers the practical steps in detail.

Practical steps for trustees

1. Assess your reporting readiness

Can you answer every question on the Charity Commission Annual Return from existing systems, without manual compilation? If not, identify where the gaps are.

2. Audit your governance records

Where do board papers, meeting minutes, risk registers, policies, and declarations live? Can you find any document within five minutes? Is there version control? Are access controls appropriate?

3. Review your incident detection

If a staff member's email account was compromised today, how long would it take you to find out? If the answer is "when someone notices something odd," you need automated alerting.

4. Check your safeguarding systems

Are DBS checks tracked with expiry dates and renewal alerts? Are training records up to date and linked to individuals? Are safeguarding incidents logged with timestamps, actions, and outcomes? Can you produce a complete safeguarding report for the Commission on request?

5. Assess your IT partner

Does your IT provider understand the charity sector's regulatory context? Do they know what the Charity Commission expects? Can they configure your systems to support compliance, not just keep them running?

Generic IT support keeps your email working. Sector-aware IT support ensures your technology actively supports your governance and compliance obligations.

Get in touch if you want to discuss your charity's technology and reporting setup. We work with charities on practical, proportionate IT solutions — and we understand that your mission comes first.