Introduction
An amendment to the Economic Crime and Corporate Transparency Bill (the Bill) has brought in the offense of failure to prevent fraud (Offense). Under the new Offense, an organization will be liable where a specified fraud offense is committed by an employee or agent, for the organization's benefit and the organization did not have reasonable fraud prevention procedures in place. It does not need to be demonstrated that the company's leadership ordered or knew about the fraud.
There has been considerable analysis and debate regarding the new Offense, including assumptions that government guidance will look and feel like the guidance issued for the
Case Study
In 2022 the
Some of the criminal conduct was unsophisticated; Croft gave the auditors falsified bank statements that inflated the company's cash position and supplied them with fabricated bank reconciliations.
Coleman further inflated those figures for financial reports that were then presented to the Board. One of the offenses within the scope of the act is false accounting contrary to s17 of the Theft Act - offenses that Croft and Coleman committed.
The question of whether
What Reasonable Procedures Should Companies Consider Putting in Place?
To invoke the reasonable procedures defense, a company should be able to point to the policies, procedures, and controls they have in place to prevent the various types of fraud set out in the Bill.
Although it is near impossible to prevent bad actors from perpetrating fraud in your business, reasonable procedures should be designed with three clear objectives;
-
make it harder for people to commit fraud;
- make it easier for employees to spot fraud; and
- make it easier for colleagues to report fraud.
- disclosures reviews
- scrutiny over management estimates / top-line adjustments
- evaluations of material changes in accounting policy
- segregation of duties
Anti-fraud Culture
Developing a strong culture should be the bedrock of any fraud risk management program. A central component of a demonstrable anti-fraud culture is the appointment of an executive-level sponsor. The appointment of an anti-fraud champion, who is accountable for managing the firm's response to fraud, ensures that there is both visibility and accountability for preventing fraud while demonstrating the organization's intolerance of fraud to all employees.
Developing this culture also involves aligning incentives to desired employee behavior. In the case of
Companies will also need to revisit training, communications, and whistle-blowing mechanisms. It will be important that companies consistently message an intolerance of fraud and unethical behavior, support employees to spot and report the signs of misconduct and ensure reports of fraud are managed effectively.
With respect to training, organizations must ensure employees and directors who prepare or review financial information are adequately trained to scrutinize the information they receive. In the
Systems and Controls
Before implementing systems and controls, organizations should base their interpretation of the words "reasonable" and "proportionate" on the results of a fraud risk assessment. For example, it is reasonable to accept certain areas of your organization present little to no risk of fraud. This allows for resources to be deployed to areas of high risk, resulting in more stringent control activity over areas where fraud is most likely to occur and have a significant impact.
While specific procedures and controls will be tailored to risk and complexity, there are control areas we commonly see fail in fraud investigations, each meriting some level of review considering the Offense. These include (but are not limited to):
-
financial reporting controls
In the case of
Auditors
Companies may be tempted to rely on their external auditors in place of appropriate anti-fraud systems and controls. However, external auditors should only be part of the equation. In addition to fraud prevention controls, it is reasonable to assume any guidance for the Offense will include expectations for monitoring the effectiveness of procedures, outside of the external audit context.
Many large organizations have some form of internal audit or risk function which assess controls across a variety of organizational activities. Regulated and sophisticated corporates go one step further by implementing "three lines of defense" (3LOD): management that own process; a risk/compliance function that oversees the design of frameworks; and an internal audit function that independently assures the effectiveness of the frameworks. Structural differences aside, the premise is management and the board receives control assessments, which provide confidence in representations to external auditors as to whether there are functioning controls designed to prevent and detect fraud (among other representations).
While a dedicated internal audit function may not be proportionate for every organization, some form of monitoring will likely be required. We consider this to be one of the most resource-intensive implications of the new Offense, especially for organizations with no current monitoring mechanisms.
Conclusion
There are a few practical matters to consider when preparing a response to the Offense. First, the government is yet to publish guidance for the Offense, which should provide further clarity on the reasonable procedures the government might expect in preventing fraud.
Secondly, identifying who should "own" a business' response to the Offense is a decision that should be considered carefully. For example, appointing an executive whose day-to-day responsibilities overlap with areas of high fraud risk within the organization to design the framework may result in a more efficient process. However, it is worth also defining and engaging with those who will run the controls, those who will design them, and those who can objectively assess them to make the overall program a success and demonstrate a considered approach.
A final, but important consideration is preparing for a fraud risk assessment. Even the best-planned controls, internal audits, and external audits can have weaknesses. So, regardless of an organization's current framework, a risk assessment would be a great starting point that will only serve to better inform your organization of its fraud risk exposure.
Footnotes
1. https://acfepublic.s3.us-west-2.amazonaws.com/2022+Report+to+the+Nations.pdf
2. Final Notice 2020:
3.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Kurun Bhandari
DC 20006
Tel: 202797 1111
E-mail: hunter.voegele@ankura.com
URL: ankura.com
© Mondaq Ltd, 2023 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source