Introduction
An amendment to the Economic Crime and Corporate Transparency Bill (the Bill) has brought in the offense of failure to prevent fraud (Offense). Under the new Offense, an organization will be liable where a specified fraud offense is committed by an employee or agent, for the organization’s benefit and the organization did not have reasonable fraud prevention procedures in place. It does not need to be demonstrated that the company's leadership ordered or knew about the fraud.
There has been considerable analysis and debate regarding the new Offense, including assumptions that government guidance will look and feel like the guidance issued for the UK Bribery Act and the Failure to Prevent Tax Evasion, i.e., it will hinge on what is reasonable and proportionate. A fraud risk assessment will be a useful starting point for any organization in designing adequate procedures; however, there are some basic tenets to fraud risk management that will apply to any organization, regardless of their size and complexity. Below we discuss these considerations within the context of a recently prosecuted fraud to highlight the practicalities facing UK companies subject to the Offense.
Case Study
In 2022 the FCA (Financial Conduct Authority) successfully concluded its prosecution of Timothy Coleman and Estelle Croft, the former CFO (Chief Financial Officer) and Finance Director of Redcentric Plc. They were found guilty of several offenses including false accounting, contrary to Section 17(1)(a) of the Theft Act 1968. When the offenses were committed the company would have satisfied all the criteria to be caught by the Offense: more than 250 employees, more than £36m in turnover, and more than £18m in assets.
Some of the criminal conduct was unsophisticated; Croft gave the auditors falsified bank statements that inflated the company’s cash position and supplied them with fabricated bank reconciliations.
Coleman further inflated those figures for financial reports that were then presented to the Board. One of the offenses within the scope of the act is false accounting contrary to s17 of the Theft Act - offenses that Croft and Coleman committed.
The question of whether Redcentric had reasonable fraud prevention procedures in place to prevent the false accounting from taking place was not relevant at the time. However, if similar conduct occurs after the Bill becomes law that question would potentially be considered by a prosecutor.
What Reasonable Procedures Should Companies Consider Putting in Place?
To invoke the reasonable procedures defense, a company should be able to point to the policies, procedures, and controls they have in place to prevent the various types of fraud set out in the Bill.
Although it is near impossible to prevent bad actors from perpetrating fraud in your business, reasonable procedures should be designed with three clear objectives;
- make it harder for people to commit fraud;
- make it easier for employees to spot fraud; and
- make it easier for colleagues to report fraud.
Anti-fraud Culture
Developing a strong culture should be the bedrock of any fraud risk management program. A central component of a demonstrable anti-fraud culture is the appointment of an executive-level sponsor. The appointment of an anti-fraud champion, who is accountable for managing the firm’s response to fraud, ensures that there is both visibility and accountability for preventing fraud while demonstrating the organization’s intolerance of fraud to all employees.
Developing this culture also involves aligning incentives to desired employee behavior. In the case of Redcentric, those involved in the criminal conduct were incentivized to meet financial targets and this appears to have influenced their actions in a negative way. Altogether removing variable compensation is a challenge, especially for senior management who are often compensated for delivering growth. However, efforts can be made to de-emphasize the variable elements of the pay, incorporate compliance metrics, and include claw-back provisions for misconduct.
Companies will also need to revisit training, communications, and whistle-blowing mechanisms. It will be important that companies consistently message an intolerance of fraud and unethical behavior, support employees to spot and report the signs of misconduct and ensure reports of fraud are managed effectively.
With respect to training, organizations must ensure employees and directors who prepare or review financial information are adequately trained to scrutinize the information they receive. In the Redcentric case, there were executive and non-executive directors who received the false numbers that were ultimately fed into the accounts and delivered to the market. Organizations will want employees in equivalent positions to be properly trained and have sufficient time to scrutinize the financial information they are provided with.
Systems and Controls
Before implementing systems and controls, organizations should base their interpretation of the words “reasonable” and “proportionate” on the results of a fraud risk assessment. For example, it is reasonable to accept certain areas of your organization present little to no risk of fraud. This allows for resources to be deployed to areas of high risk, resulting in more stringent control activity over areas where fraud is most likely to occur and have a significant impact.
While specific procedures and controls will be tailored to risk and complexity, there are control areas we commonly see fail in fraud investigations, each meriting some level of review considering the Offense. These include (but are not limited to):
- financial reporting controls
- disclosures reviews
- scrutiny over management estimates / top-line adjustments
- evaluations of material changes in accounting policy
- segregation of duties
In the case of Redcentric, there was evidence of collusion between Croft and Coleman; a lack of segregation of duties within the cash recognition process enabling Croft to finesse the cash statements; and limited challenge around management level adjustments allowing for Coleman’s inflated figures. According to its 2022 Report to the Nations, The Association of Certified Fraud Examiners cited that 23% of occupational frauds were caused by owners/executives and they caused the largest losses for companies. They also cite that 20% of frauds occurred due to overrides of existing controls[1]. Controlling for collusion, management override or areas of management discretion is difficult, and we consider even the most sophisticated companies will need to reassess these risks.
Auditors
Redcentric had external auditors who signed off on their accounts. However, the FCA’s Final Notice of June 26, 2020 states that the company “knew, or could reasonably have been expected to know, that the information about its net debt and cash and cash equivalents published in its 9 November 2015 Statement and its 16 June 2016 Statement was false and misleading.[2]”
Redcentric’s external auditors were subsequently criticized and fined by the FRC who said that there was a “lack of professional scepticism”[3]. It will be important that those responsible for internal fraud controls are able to demonstrate that they showed “professional scepticism” when fulfilling their roles.
Companies may be tempted to rely on their external auditors in place of appropriate anti-fraud systems and controls. However, external auditors should only be part of the equation. In addition to fraud prevention controls, it is reasonable to assume any guidance for the Offense will include expectations for monitoring the effectiveness of procedures, outside of the external audit context.
Many large organizations have some form of internal audit or risk function which assess controls across a variety of organizational activities. Regulated and sophisticated corporates go one step further by implementing “three lines of defense” (3LOD): management that own process; a risk/compliance function that oversees the design of frameworks; and an internal audit function that independently assures the effectiveness of the frameworks. Structural differences aside, the premise is management and the board receives control assessments, which provide confidence in representations to external auditors as to whether there are functioning controls designed to prevent and detect fraud (among other representations).
While a dedicated internal audit function may not be proportionate for every organization, some form of monitoring will likely be required. We consider this to be one of the most resource-intensive implications of the new Offense, especially for organizations with no current monitoring mechanisms.
Conclusion
There are a few practical matters to consider when preparing a response to the Offense. First, the government is yet to publish guidance for the Offense, which should provide further clarity on the reasonable procedures the government might expect in preventing fraud.
Secondly, identifying who should "own" a business’ response to the Offense is a decision that should be considered carefully. For example, appointing an executive whose day-to-day responsibilities overlap with areas of high fraud risk within the organization to design the framework may result in a more efficient process. However, it is worth also defining and engaging with those who will run the controls, those who will design them, and those who can objectively assess them to make the overall program a success and demonstrate a considered approach.
A final, but important consideration is preparing for a fraud risk assessment. Even the best-planned controls, internal audits, and external audits can have weaknesses. So, regardless of an organization’s current framework, a risk assessment would be a great starting point that will only serve to better inform your organization of its fraud risk exposure.
[1] https://acfepublic.s3.us-west-2.amazonaws.com/2022+Report+to+the+Nations.pdf
[2] Final Notice 2020: Redcentric PLC (fca.org.uk)
[3] News I Financial Reporting Council (frc.org.uk)
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
