Audit committees share their knowledge, experience and concerns around fraud risks in ICAEW’s second report on sharpening the focus on corporate fraud. Katharine Bagshaw shares some insights.
You could be forgiven for thinking that neither companies nor auditors really care much about fraud, if media reports were all you had to go on. These reports often imply that both are, at best, indifferent to fraud, turn a blind eye, or ignore glaringly obvious warning signs.
ICAEW has published the following reports with a view to addressing unbalanced coverage, and providing a picture of how fraud is in fact perceived and managed by auditors and companies.
- Sharpening the Focus on Corporate Fraud: An Audit Firm Perspective, published in July 2022, sets out audit firm initiatives to better deal with fraud. It also sets out recommendations for what more can be done or done differently to deter and detect fraud – and done not just by audit firms, but by directors, government and audit regulators.
- Sharpening the Focus on Corporate Fraud: An Audit Committee Perspective, published in May 2023, discusses the same subject from the significantly broader perspective of audit committee members and chairs from large companies both within and outside the UK.
The collective knowledge and experience of the individuals we interviewed for these publications is immense. They are listed at the back of each publication. In this article we focus on the latter report, but both are particularly relevant to the government’s fraud strategy published on 3 May and, in particular, the introduction of a new corporate offence of ‘failure to prevent fraud’, with provisions relating to the prosecution of senior managers and the seizure of crypto assets.
Is fraud a risk?
An overwhelming majority of audit committee members and chairs emphasised the importance of the fraud risk. They said that it should not be underestimated and that it is the collective responsibility of the entire board, not just the audit committee. Some of those we spoke to – who are after all ‘those charged with governance’ – emphasised the fact that fraud is not the only risk that companies and audit committees must address, and that it is not necessarily the most important.
Being realistic
Interviewees noted that preventing fraud costs money and that the only way to eliminate any fraud risk is by stopping doing business. The type of fraud that threatens the viability of companies is very rare.
Cyber
When we asked interviewees what kept them awake at night, cyber risks came up repeatedly as ‘unknown unknowns’. They talked about constant cyber insecurity and aggressive attacks that no amount of specialist expertise can address.
Interviewees also expressed concerns about the integration of operational and information technologies (OT and IT). OT has, to date, generally been offline but the combination of OT and IT online has become unavoidable, and the need to manage the interface is critical.
Culture and (bad) behaviour
No interviewee referred to a ‘toxic’ culture in any context, but many said they would not accept appointment to an entity that they believed to be badly governed. They all talked about the importance of culture and the tone at the top.
Bad behaviour by senior management who don’t walk the talk – described as “entitled C-suiters” by one interviewee – and disaffected, resentful staff were seen as key fraud risks. One interviewee emphasised the need for senior management to be seen to be frugal, noting that fraudsters in reality are often long-standing, trusted employees. Another referred to the difficulties associated with detecting collusive management fraud before it is too late, and collective board “blind spots”.
Who challenges who, how and how effectively?
Interviewees felt a clear responsibility to challenge management and believe that the quality of this has improved in recent years. Many interviewees were ex-auditors. They emphasised the importance of a high-quality audit engagement partner to set the tone from the top for the audit. While all were respectful of the value of external audit, they were clear about its limitations, particularly in the context of fraud, given the periodic nature of external auditor involvement. They spoke particularly highly of the role played by internal audit, who are there all the time and have a remit that extends beyond the financial statements.
Several interviewees stressed the need for external auditors to focus on the bigger picture – by paying more attention to analysts’ briefings and reports, for example.
External auditors and audit committee members and chairs wanted each other to make more effort to understand their respective perspectives on the fraud risk.
Internal control and corporate regulation
There was a general consensus that boards act because of market pressure and the reputational damage arising from fraud. Many interviewees were ambivalent about the value of regulation generally. They were particularly cautious about assuming that regulatory models based on Sarbanes-Oxley will work in other jurisdictions.
Some interviewees in the financial services sector suggested that the regulatory and control model applied in that sector could be applied more widely. Others were not so sure because there is a level of homogeneity in financial services that does not exist in the wider corporate sector.