By Matt Kelly
Global businesses need a system of internal controls that can withstand scrutiny from any direction. So today let’s turn our eyes to the United Kingdom, where a new “Failure to Prevent Fraud” offense could pose some significant challenges for compliance and internal audit teams later this year.
As the name implies, the law (going into effect Sept. 1) exposes companies doing business in the U.K. to criminal liability if they fail to prevent fraud that happens within their enterprise — but companies can avoid that liability if they have implemented “reasonable procedures” meant to prevent fraud from happening.
The question for internal control teams is whether your company’s existing anti-fraud controls will meet that “reasonable procedures” standard. If they don’t, then you’ll need to bring your controls into alignment with the law’s expectations; otherwise you run the risk of potentially painful monetary penalties and other costs.
So let’s review what the Failure to Prevent Fraud offense is, the reasonable procedures you’ll want to have, and the steps you’ll need to take to get there.
Failure to Prevent Fraud 101
The objective of the Failure to Prevent Fraud offense is to push companies to change their corporate culture toward taking fraud more seriously.
Conceptually the law is similar to the Securities Act in the United States, in that both statutes want companies to adopt a strong system of internal controls. The Securities Act, however, is a civil law that applies only to publicly traded companies. The Failure to Prevent Fraud offense is a criminal statute (read: more severe punishments) that applies to all “large organizations” — public, private, nonprofit — that are under U.K. jurisdiction.
Specifically, a company will be subject to the law if it meets any two of the following three criteria:
The law also extends to any third parties (“associated persons”) operating on your company’s behalf. If they commit fraud under the auspices of your enterprise, then your enterprise can be held liable for their actions.
Another important point is that you don’t need to be a British organization to be subject to the law. All British businesses are subject to it, of course; but so is any overseas organization if any part of the fraud scheme happens in the United Kingdom, or any victims are U.K. residents, or any gain or loss from the fraud happened on British soil.
What qualifies as a fraudulent act your company should prevent? The offenses include frauds such as:
-
Making false representations;
-
Failing to disclose information;
-
Participating in a fraudulent business;
-
False accounting;
-
False statements from corporate executives or directors;
-
Fraudulent trading.
Quite simply, the Failure to Prevent Fraud offense is expansive. It covers a wide range of possible frauds and a wide range of organizations. Just about any organization that works on a global scale is likely to be in scope — and there’s no upper limit to the possible monetary penalties an offending company might face.
The incentive, therefore, is to be sure you can avoid corporate criminal liability by implementing that set of “reasonable procedures” to prevent the frauds we listed above. Let’s turn to that next.
How to Design ‘Reasonable Procedures’
The reasonable anti-fraud procedures you’d want to implement at your business are mostly the same anti-fraud procedures internal auditors have known for years: a “tone at the top” against fraud, risk assessment, due diligence, risk-based procedures to prevent fraud, training and communication, and ongoing monitoring and review.
To that extent, the U.K.’s expectations for reasonable procedures aren’t much different from the five elements of the COSO internal control framework. The challenge for internal audit teams will be to document your controls and map them to those U.K. expectations, and then to fill in any gaps as necessary.
For example, the guidance released by the British government talks at length about defining roles and responsibilities for anti-fraud. That includes designating someone as responsible for anti-fraud efforts (a chief compliance officer, typically); and then giving him or her appropriate resources for, say, developing an internal hotline or a set of anti-fraud policies.
Or consider risk assessment and training, and how the two overlap. You’ll need to consider who at your company might commit some of the frauds mentioned above, and how they might do that. For example, an accounts payable clerk could engage in false accounting through bogus vendors; a VP of investor relations would be more likely to make false or misleading statements. So what role-specific training would you want for each person? What approvals or other internal controls would you want in place, given the different risks they pose?
Good News: You Can Do This
This is the same sort of work internal audit teams have already done for years to demonstrate Sarbanes-Oxley compliance: document your controls; perform a gap analysis; remediate those gaps as necessary. So the tools and processes you have to get that documentation and remediation done today, should be easily extended to this new U.K. demand now.
This is also the same challenge that senior management teams have faced for years, too: demonstrate that you take fraud risk seriously by assigning competent people to address it, and then enforcing the anti-fraud policies and procedures that you have in the employee handbook.
If anything, the arrival of the Failure to Prevent Fraud offense shows that governments around the world are converging on certain expectations for corporate governance and integrity; businesses need to build up their anti-fraud capabilities to a certain base level, because sooner or later you’re bound to encounter regulators who want you to take fraud seriously.
About Matt Kelly
|
|
Matt Kelly is an independent compliance consultant specializing in corporate compliance, governance, and risk management. He shares insights on business issues on his blog, Radical Compliance, and is a frequent speaker on compliance, governance, and risk topics.
Kelly was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and named to Ethisphere's "Most Influential in Business Ethics" list in 2011 and 2013. He served as editor of Compliance Week from 2006 to 2015.
Based in Boston, Mass., Kelly can be contacted at mkelly@RadicalCompliance.com.
|
#Blog #SOXPro #ProcessImprovement #Audit #Legal #Compliance #RiskManagement #SOX #Fraud #InternalAudit