A series of high-profile corporate collapses, the growing importance of data and non-financial risks and the exponential rise of fraud has focused minds on the widespread harm that fraudulent activity inflicts not just on the wider economy, but on companies and individuals too. 

With this in mind, the new Economic Crime and Corporate Transparency Act (the ECCTA) introduces a ‘failure to prevent fraud’ offence into UK law. 

Roy Waligora, Head of Investigations and Corporate Forensics at KPMG UK, says: “If we consider the fraud triangle framework, consisting of opportunity, incentive and rationalisation, two risk factors in particular are driving fraud: new technologies are providing fresh opportunities for criminals to scam businesses, and the cost-of-living crisis is providing personal incentive to commit this crime.”

But as KPMG’s latest Fraud Barometer underlines, it’s not just external threats that businesses should be worried about. In 2023, employees and management were involved in nearly half of all fraud cases over £100k to the combined value of £221.3m, Waligora says.

Internal controls

The new offence in the ECCTA puts more pressure on management to fulfil its responsibilities to put in place strong systems and internal controls, as well as to understand and proactively manage its fraud risk.

Under the ‘failure to prevent fraud’ law, large organisations may be prosecuted with the potential for an unlimited fine where fraud is uncovered and the company shown to have failed to have taken reasonable steps to prevent it. This could also apply if the organisation is not UK-based. Currently, small and medium-sized businesses are exempt from the new law, but that could change in the future. 

“Fraud accounts for over 40% of crime in England and Wales, making it the most common type of crime. This is being driven in large part by the increasing prevalence and sophistication of online scams and fraudulent investment schemes, which are often promoted on the internet and take advantage of social media platforms,” says Lucy Blake, an investigations, compliance and defence partner at law firm Jenner & Block’s London office.

Blake says the Serious Fraud Office has launched five new fraud investigations since the current director took up his post last September. “Given this focus, companies should be carrying out risk assessments to pinpoint where in their business fraud is most likely to occur, and test the effectiveness of their existing compliance framework to identify and close any gaps,” she says.

Declaration on effectiveness

The UK government has withdrawn a proposal to legislate for requirements that directors make a declaration about the effectiveness of the entity’s internal controls and a statement on material fraud. However, under the Financial Reporting Council’s (FRC) updated Corporate Governance Code 2024, directors will have to make a declaration about the effectiveness of controls deemed to be material. The revised Code is effective as of January 2025, but the new provision on material controls won’t take effect until January 2026.

Tracy Gordon, Director of Deloitte’s UK Centre for Corporate Governance, says: “What we’re hearing is that companies will probably start to dry-run it next year, maybe this year. They will start thinking about ‘what are our material controls and how are we going to do the testing’ and then dry-run it in 2025; then they will have to comply in 2026.”

‘Material controls’ will be company-specific. The declaration will cover all material controls, including financial, operational, compliance and non-financial reporting controls. Reporting on operational and compliance controls is a new requirement. 

So what should directors do to help combat the potential for fraud and illustrate to investors and key stakeholders that their internal controls are robust? “Executives should use their knowledge of fraud risks to assess the effectiveness of their prevention and detection processes. This involves comparing the current framework with the necessary actions and controls to identify any weaknesses,” says Waligora, adding that boards should also regularly update this analysis “to ensure that the company’s fraud responses remain effective and proportionate in detecting new fraud methods”.

The updated Code tightens the link between risk management and internal controls. The changes to the Code hand executives an opportunity to rethink their approach to risk, control and assurance. 

Think fraud risk

Jayne Kerr, a Director in UK Public Policy, PwC, says: “The material controls declaration includes financial, reporting, operational and compliance controls. To the extent that there’s a material fraud risk to the business, then I would expect the material controls over that risk to be included in the declaration. So I always remind companies, when you’re thinking about your material controls, always think about the fraud risk as well.”

Directors need to formulate a clear strategy to oversee their risk, controls and assurance processes. It’ll be vital to ensure organisations have appropriate oversight of the arrangements in place. Ideally, this could be defined in a ‘four lines of defence’ model.

The Institute of Internal Auditors recommends a three-line approach to fraud controls within a business, with senior managers in the first and second line. Separate from these first two lines of defence is the third: internal audit. External audit is considered as the fourth line.

Gordon says: “A material control could be deemed to be one over the risk of fraud. As companies start to prepare for the material controls declaration and also the new ‘failure to prevent’ offence, it will increase the focus of boards on fraud. It’s helping boards build a better understanding of what is done about fraud risk in the business – and that can only be a positive thing.”

The FRC has made it clear that the revised Code is not an introduction of the US’s Sarbanes-Oxley (SOX) Act through the back door, and that it is not expecting organisations to take the same approach. The UK Code is framed on a ‘comply or explain’ basis rather than a legal requirement. 

However, if an organisation is dual-listed in the US and directors are already complying with US SOX, the business is well-positioned to adapt to the UK’s new regulations on fraud risk.

Putting in place an organisation culture that encourages ethical behaviour, promotes transparency and allows employees to feel comfortable raising concerns they have, in the knowledge that management will take appropriate action, remains as vital as ever.