Fraud: Responsibility and culpability is changing

Under the current climate, with individuals struggling due to the cost of living crisis it is more important than ever for organisations to assess and manage their susceptibility to fraud. This could be seen as giving staff incentive to commit fraud.

Charities and NFP clients do tend to operate on a higher level of trust than their corporate counter parts.  If only I was given a pound for every time I was told as an auditor “we trust our staff”.  Such an attitude is not appropriate as it places undue pressure on the honesty of employees, and in situations of financial hardship can lead to a justification/rationalisation of taking a small amount that then cascades to more frequent or larger amounts. If appropriate control environment, checks and balances were in place then such temptation might never occur.

Currently organisations do have a duty of care to protect their employees from harm. This covers reasonably foreseen acts or omissions that are likely to harm employees. A lack of appropriate financial oversight and control would fall into this category, and give staff and fraudsters opportunity. Employers should have appropriate controls to protect their employees from temptation.  If your control environment is inappropriate and not robust, and an individual commits fraud, then are you complicit in the perpetrated fraud?

Fraud needs incentive, opportunity and rationalisation to take place. Employers have the ability to stop opportunity through effective controls.

Economic Crime and Corporate Transparency Bill

Currently, this Bill is making its passage through Parliament.  It will allow the Government to move faster when imposing sanctions, provide the ability to cease crypto-assets, and will create a Register of Overseas Entities (ROE) so as to be able to target foreign criminals laundering money in the UK and reforms at Companies House – such as identity identification of all existing and new directors at Companies House.

However, perhaps less known is that a ‘failure to prevent fraud, false accounting or money laundering’ could be become a new criminal offence. The House of Commons on 25 January 2023 tabled new additions to the draft legislation to include this new corporate criminal liability that will mean that it brings responsibility onto the entity and thus its key management for failings in the internal control environment that allowed fraud, false accounting or money laundering to occur.

Currently, if there is a failure in the control environment that allows a fraud to take place, there is a requirement for prosecution to demonstrate that management were fully aware of the weakness in order to be able to take proceedings.  This would completely change the onus of proof to just the weaknesses existing in the control environment that allowed the activity to take place.  Hence it will mean that the onus will be on the organisations will need to demonstrate that they have documented potential fraud, false accounting and money laundering opportunities and how these will be managed through preventative measures.  So watch this space, as the goal posts could move significantly.

Auditors

Another change in the fraud arena is the International Standard on Auditing (UK) 240 – ISA 240.  This ISA comes into effect for all audits ending on or after December 2022 onwards (and even earlier in certain circumstances such as shorter accounting period).  Because of this change, audit fees have to increase due to the level of additional work required on all audits as a result. There is also an updated ISA 315 applicable to the same audit periods, which has enhanced requirements also driving audit fee increases, but it is not covered by this article.

ISA 240 requires auditors to undertake substantially more audit work around potential for fraud. Fraud meaning the fraudulent reporting and misstatements arising from the misappropriation of assets   It encompasses assessing how fraud could occur, understanding the systems and controls in place, documentation of these the same and reporting on any weaknesses or issues arising.  Therefore, we as auditors are also now focusing more work in this area too.

Fraud assessment and controls

So what should you be doing? Assess the ability of fraudsters to commit a fraud in your organisation and how to prevent it.

In order to demonstrate your duty of care as a responsible and caring employer you need to assess your fraud risk and have appropriate controls.  The New Economic Crime and Corporate Transparency Bill will be driving the need for robust systems and controls to be able to demonstrate your defence if prosecuted in the future, should you be subject to a fraud. This fraud assessment needs to look at both external and internal fraud.

We have seen or heard about successful frauds perpetrated on clients by staff, but more commonly now fraud is instigated by outsiders who are able to circumvent controls and receive funds.  The estimated fraud loss to the UK economy last year was £193bn and this figure is increasing.

When thinking about fraud, think about how funds and assets could be targeted. There are two types of controls – active and passive. Active controls look to prevent fraud occurring cover aspects such as segregation of duties, physical control over assets, sequential numbering for instance of sales invoices, signatures and counter signatures and passwords. Passive controls are looking to detect if fraud has occurred such as reviewing audit trails, internal or external audits, surveillance of personnel or controls and reviewing procedures.

Let’s consider an example:

Do you have effective procedures in place which prevent bank account changes occurring to suppliers and employees without appropriate checks and balances? We have all heard about supplier statement frauds, but the latest is changing employee bank details that only work for one month. Therefore, is every bank account change authorised by someone other than the person who initiated the change? Are the bank accounts verified by a named contact at the organisation, or directly with the employee, by telephone?  Sending emails is insufficient, fraudsters can intercept email traffic and have even diverted genuine supplier telephone numbers too, so that only direct contact with the named person would have prevented the fraud.  How is this process documented and evidenced of having taken place? Do you review supplier and payroll audit trails to confirm all changes are authorised?

Next steps

We would recommend that all organisations start to look at ensuring they have effective control environment in place as soon as possible, as changing controls will take time. The new Bill is rapidly going through Parliament and the consequences of not taking action could result in a criminal record and even imprisonment if it remains unchanged.

This article was written by Helena Wilkinson, a Corporate Partner within Price Bailey and Head of our Charities and Not For Profit team. If you have any questions relating to this topic, please contact Helena or another member of the Charities team using the form below.