Fraud is dynamic, and fraudsters evolve faster than any regulation or corporate internal controls. These criminals are sophisticated, exploiting new weaknesses and constantly adapting to technological detective efforts. 

Much of the debate around fraud prevention and detection has so far fallen on the shoulders of auditors, given the high-profile corporate collapses of recent years. But ultimately, it is the responsibility of management to improve their own approach to managing fraud risk. As auditors step up their efforts to curb fraud, so too must organisations.

The government’s planned governance reforms include requiring directors of public interest entities to report on the steps they have taken to prevent and detect fraud, but requirements for auditors to report on the factual accuracy of this statement have now been dropped. Craig Wright, Partner, Internal Audit, Risk and Compliance, KPMG, says: “The primary responsibility for preventing and detecting fraud will always rest with management. Internal auditors are the third line of defence.”

Reporting on internal controls is expected to involve a steep learning curve for both companies and internal auditors, despite the fact that proposals to legislate have been dropped, and the requirement will be carried forward through the UK Corporate Governance Code. 

Only around 25 of the UK’s largest companies have first-hand experience of the US SOX regime and more will be caught under the new regime. They should consider planning ahead now, so that a more connected ’whole-system’ approach to fraud can be achieved. 

Matthew Lester, audit committee chair of ICG Group and non-executive chair of Kier Group, questions whether best practice currently exists in terms of anti-fraud governance measures within companies. One of the main issue boards need to address, he says, is defining the types of fraud within organisations. Fraud can range from senior management misrepresenting the financial health of a company, to cybercrime and bribery. 

“One of the first steps, I’d say, is that good governance requires there to be a clear articulation of the different types of fraud that are to be governed and where within your organisation is the centre of gravity for the oversight and governance of each type,” Lester says.

Once companies are able to clearly define fraud and identify the risk of the different types of frauds, senior management can then look at external factors such as complying with the Bribery Act, ensuring training and education, drafting a policy on it and ensuring a feedback loop via a whistleblowing hotline.

The trickier side of fraud prevention comes about with the need for non-executive directors, particularly those who sit on audit committees, to detect and prevent fraud by senior management without damaging trust and working relationships.

“Boards have to develop a relationship of trust with their senior management. It can be difficult for a board to then turn around and say we need processes in place to ensure senior management are not committing fraud or misrepresenting the state of the company. It’s just something we’re not very comfortable with. It’s a bit like hiring a private detective to spy on your family, having explicitly told them you trust them,” Lester says.

With this in mind, and the continuing fall-out from corporate scandals such as Carillion and Patisserie Valerie, it is crucial for boards to question the extent to which there is a concentration of power and influence among senior individuals, be it the CEO, the CFO, or the treasurer.

Wright says: “There are a lot of questions now being asked of internal audit functions and their role going forward, in light of the expected changes to a company’s external reporting requirements; for instance, the role of internal audit in relation to material fraud statements within the directors’ report. What, if anything, should internal audit be doing to assure directors in advance of their reporting obligation as to how they themselves have assessed the risk of material fraud?” 

Best practice should include having a robust process in place to verify that senior management are behaving in a way consistent with what the non-executive directors think they should be doing, Lester says.

“I think a lot of people, particularly in the media, are sceptical that boards have the right relationship with senior management. They think boards are often ’captured’ by their management and do not entertain sufficient challenge. I think this is probably where the least ’best practice’ exists,” Lester says.

Although most research, such as PwC’s Global Economic Crime and Fraud survey 2022, shows it is cybercrime that poses the biggest threat: 41% of organisations with global annual revenues over $10bn say they have experienced cybercrime in the past 24 months, and just under a quarter (24%) have experienced asset misappropriation.

Nonetheless, the recent corporate scandals have understandably led to a heightened focus on, and societal discomfort with, management’s misappropriation of assets. It is this area on which internal auditors will be expected to train increased attention to avoid future reputational damage to companies, auditors and, vitally, capital markets. 

Organisational culture will play a critical role in shaping an environment where employees at all levels are encouraged ‘to do the right thing’ and feel they can raise concerns directly to all levels in the organisation. 

Lester says: “I think the new requirements will need us all to revisit the control environments of our companies and question whether the existing environment would highlight fraud and misrepresentation.”