The Economic Crime Bill received Royal Assent on 26 October 2023. Included in the Act is the failure to prevent fraud offence, under which large companies will be liable when a specified fraud offence is committed by an employee or agent, for the organisation's benefit and it did not have reasonable fraud prevention procedures in place. In preparation for the offence coming into effect, we outline below the key considerations for organisations when updating their fraud risk management framework.
Companies must ensure that a clearly defined governance structure is in place. This structure should provide clarity over who in the organisation has responsibility or accountability for owning and managing fraud risk.
The offence is structured so corporate liability can no longer be avoided by directors pleading ignorance when fraud is identified within the business. Fraud risk should be a routine agenda item for directors, and developing a culture in which financial information provided by senior management can be robustly challenged will be crucial in complying with the requirements of the act.
2. Risk Assessment
When preparing for the new regime, organisations should refresh their existing fraud risk assessments. Updating their fraud risk assessments will allow organisations to "reasonably" and "proportionally" deploy their resources to address areas of high risk, whilst deprioritising areas that present little to no risk. Periodically refreshing your risk assessment ensures that emerging risks, which can often go undetected, are addressed.
The reasonable procedures defence means controls should be designed with three clear objectives in mind: make fraud harder to commit, easier to spot, and easier to report. Companies will need to tailor controls to the risks and complexity of their business. There may need to be a shift in focus to internal fraud and accurate financial reporting as there is typically significant exposure in areas such as:
- Accounting manipulation;
- Management estimates;
- Disclosures; and
- Adjusted performance metrics.
To comply with the regime, organisations will also need to consider areas where they have limited oversight. This includes operations in overseas markets, acquired businesses, and parties involved in their supply chain.
Monitoring is one of the most resource-intensive consequences of the new offence, as organisations will have to implement some form of monitoring mechanism, whether through internal resources or by outsourcing.
Many large organisations already have an internal audit or risk function which monitors and assesses controls across a variety of activities. Consideration should be given to implementing a "three lines of defence" model: management that owns the process; a risk/compliance function that oversees the design of frameworks; and an internal audit, or other monitoring function that independently assures the effectiveness of the frameworks. For those organisations without an internal audit or risk function, it will be important to devise a proportionate and cost-effective approach to monitoring fraud risk going forward.
As fraud indicators are becoming increasingly technical and contextual, companies should update training to ensure employees can recognise the signs of fraud. Employees should also be aware of the relevant reporting lines within an organisation. Companies should develop clear and well-defined reporting procedures, coupled with robust support systems for whistleblowers, to create an environment where reporting fraud-related misconduct is efficient and safe.
However, a strong reporting system is only one component of an effective response to identified fraud. Internal investigation teams will need the necessary forensic accounting capabilities to perform investigations. Companies should therefore consider investing in training and upskilling their internal teams to effectively manage complex investigations or outsource this function to external experts.
The foundation of fraud risk management is a strong anti-fraud culture. Developing this culture will need tone from the top and middle management. It will also involve aligning incentives to desired behaviours; finding a reasonable way to ensure variable compensation based on growth delivery does not drive fraudulent behaviour; and incorporating compliance metrics which include clawbacks for misconduct. Consistently reinforcing a zero-tolerance policy against fraud and unethical behaviour, supporting employees in identifying and reporting misconduct, and implementing efficient reporting procedures are all critical to fostering a robust anti-fraud culture.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.