Organisational fraud comes in different forms. The threat can be external or internal. It can range from a cyber-attack on an organisation, an email scam, to a fraud perpetrated by a 'trusted' employee. It is a common misconception that fraud is something outside of an organisation's control and therefore a director or officer bears no responsibility for a fraudulent incident and the consequences. This may not always be the case. Directors and officers may be personally liable for losses suffered by an organisation if they fail to ensure that the risk of fraud is not sufficiently mitigated.
The Cost of Fraud to a Business
The cost of fraud to an organisation can be significant. There is the monetary cost arising from:
- The fraudulent activity itself, for example, the money redirected away from the business by an employee
- The cost of forensically investigating the fraud
- The cost of remediating the fraud
- The cost arising from the fall out, such as managing the media or introducing new systems.
However, the hidden cost to an organisation goes deeper and includes:
- Loss of business reputation
- Drop in employee morale
- Loss of new business opportunities
So, organisational fraud and its consequences is serious business. It raises the question of where does the responsibility lie for this and is there any come back on directors or officers of a business?
Doing your duty
Directors' duties arise from a number of sources that includes the common law and various pieces of legislation, in particular, the Corporations Act 2001 (Cth) (the Act). When organisational fraud occurs, a question that looms after the initial shock finding and urgent endeavours to mitigate the effects of the fraud, is what responsibility do the directors and officers bear for what has occurred?
While there are certainly more than two duties that arise under the Act, the main directors' duties that come into play when we think about organisational fraud occurring are:
- The duty to act with the degree of care and diligence that a reasonable person in that position and in the corporation's circumstances would exercise1.
- The duty to act in good faith in the best interests of the corporation and for proper purpose2.
These two main duties also apply to 'officers' of a corporation. An officer includes a company secretary and anyone who makes or participates in decision making that affects the whole or a substantial part of the business or who has the capacity to affect significantly the corporation's financial standing or in accordance with whose directions or instructions the directors usually act. For example, this could potentially extend the duty to the CEO, and other key players in executive management.
What does this mean in practice?
The practical effect of the duties that directors and officers bear, is that it gives rise to a duty to ensure that an organisation has in place adequate processes, systems and policies to minimise the risk of fraud and create a culture of compliance. For example, a policy in place that requires expenses over a certain sum to be authorised at a higher level, but which is not followed, monitored or enforced, leaves it open to an argument that the directors and officers did not exercise care and diligence.
Risk of fraud continues to grow, and new risks emerge over time. Cyber fraud has recently taken a seat front and centre globally, again throwing the question of director responsibility into the limelight. So, are directors and officers expected to be IT experts? The short answer is no, however, they are expected to understand the risk presented to cyber security by these threats. A recent survey of 600 board members in 12 countries showed that only 54% of Australian responders were confident their board of directors understood the system risks presented by cyber threats3.
Having a risk management framework that identifies areas of risk which includes a focus on fraud, is a good starting place. It requires an analysis of what are the fraud risks to the business, both internal and external, and ensuring the analysis encompasses all aspects of the business, both physical security as well as financial and cyber security. The Fraud and Corruption Control AS 8001:2001 is a good guide that can assist in this risk assessment exercise.
Are duties a one size fits all?
The duties discussed above are not a one size fits all. The standard of care and diligence is an objective test and is measured against what a reasonable director or officer would do considering:
- The position held by that person
- The responsibilities of the particular director or officer
- The corporation's circumstances.
There is however a minimum standard of care, in that directors and officers should take a "diligent and intelligent interest" in the information provided to them or that they should appropriately ask for in looking at fraud risk to the organisation and what systems and processes the organisation has in place.4 If an organisation has no policies dealing with areas of fraud risk, disaster recovery plan, checks and balances, auditing procedures to monitor compliance or similar items commensurate with the size of the organisation, how will a director or officer satisfy themselves, any regulator or court that they can meet the minimum standard? Remember also that there is no point in having compliance programs if they have no practical effect.
In terms of what an organisation should spend on systems and controls, this will depend on what is reasonable in the organisation's circumstances and whether what they put in place reasonably addresses the risk.
A key part of carrying out duties that apply to directors and officers, is to make risk a regular agenda item at meetings. An organisation should understand:
- What the risks to the organisation are
- The impact of the risk
- The likelihood of the risk occurring
- The consequences of the risk against the likelihood (to determine the risk exposure level)
- If the risk level is acceptable
- The effectiveness of the controls the organisation has in place
- Whether after implementing those controls the risk level is still within an acceptable level.
Often committees are set up specifically to draw up a risk matrix to consider these questions and remember that organisational fraud risk should be on this matrix because it can happen in all shapes and forms. Directors and officers should ensure they have a good understanding of the risks and ask questions that test the organisation's exposure.
Organisational Fraud Risk - what should I be doing now?
It is important that directors and officers review the processes, policies, controls and compliance systems to see if they are satisfied these would reasonably mitigate the risks posed by organisational fraud. Such review is never a stagnant exercise and is something that should be regularly conducted especially as new risks may emerge. If your organisation has been subject to organisational fraud, what did your debrief following the incident reveal and how did you act on these points to improve your processes and further minimise the risk of recurrence?
Have you recently reviewed your board and senior officer composition to ascertain if they are adequately informed and equipped to discharge their duties or whether training should be put in place? It is also opportune to review an organisation's insurance policies to ensure that there is cover for organisational fraud and if so, what are the inadequacies in your systems and conduct that may result in a claim being denied?
1 Section 180, Corporations Act 2001 (Cth).
2 Section 181, Corporations Act 2001 (Cth).
>3 Cyber Security: The 2022 Board Perspective Report; Cyber security at MIT Sloan (CAMS) and Proofpoint, cited in article, 'Australian Boards are World's least Cyber Minded' by David Braue, 12 October 2022 (https://ia.acs.org.au/article/2022/australian-boards-are-world-s-least-cyber-minded.html)
4 ASIC v Healey (No 2) (2011) 284 ALR 734; FCA 1003
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.