Are you ready for stricter fraud regulation?

A recent government white paper warns of imminent changes in the way your company prevents, detects and reports fraud.

Here, in plain English, is what it says – and what you’ll need to do about it. 

It had to happen. After several high-profile corporate failures prompted Sir John Kingman’s independent review of the Financial Reporting Council and Sir Donald Brydon’s review of the quality and effectiveness of audit, the government has responded with a package of measures aimed at improving the UK’s audit, corporate reporting and corporate governance systems.

These measures are outlined in the Department for Business, Energy & Industrial Strategy’s White Paper ‘Restoring trust in audit and corporate governance’. They are likely to form part of stronger regulation (nicknamed ‘UK SOX - Sarbanes Oxley’ after the United States’ Sarbanes-Oxley Act), improving the prevention, detection and reporting of fraud.

Crucially, they will change how UK companies operate.
 

What changes should you expect?

The White Paper talks about the “introduction of stronger regulation, possibly adopting elements of the regime that applies in the US under the Sarbanes-Oxley Act 2002 (SOX)”.

It makes four proposals likely to form the basis of future regulatory requirements:

1. Fraud risk assessment: “Actions may include undertaking an appropriate fraud risk assessment and responding appropriately to identified risks”.
   
2. Training & communication: “Promoting an appropriate corporate culture and corporate values”.
3. Implementing controls: “Ensuring appropriate controls are in place and operating effectively”.
4. Board-level reporting: “Require Directors to report on the steps they have taken to prevent and detect material fraud”.
    

What should you be doing?

Think of the White Paper as a polite forewarning of what is to come, so that you are forearmed when the regulation arrives. Which means it’s time to get in touch with your inner scout and ‘be prepared’.

To that end, we believe it helps to have a clear ‘IDIA’ of what needs doing. This badly spelt but memorable acronym stands for: Improve, Design, Implement and Assess.

Follow these four imperatives – as set out in the diagram below – and you’ll have the technology, processes and people ready to meet future regulatory demands.

Improve, Design, Implement and Assess (IDIA)

4 practical steps to maintaining strong corporate controls and procedures

Fraud follows opportunity and attacks weakness. Know where you are vulnerable and how to take control. 

What does that mean for your company?

Using the words of the White Paper, let’s take each point in turn and expand on that IDIA…
 

• “Require Directors to report on the steps they have taken to prevent and detect material fraud”.

This is all about management taking responsibility. The importance of taking a proactive top-down approach to improving the protection of your organisation against fraud risk and preparing for incoming regulatory requirements.

It goes beyond compliance. It’s also about focusing on good governance, sensible business practice and fostering the right culture to prevent loss and reputational damage.

It will require every organisation to take a risk-based approach: reducing and managing fraud risks by ensuring that robust processes and controls are implemented.
 

• “Actions may include undertaking an appropriate fraud risk assessment and responding appropriately to identified risks”.

Typically, the first step in managing fraud risk should be an enterprise-wide fraud risk assessment.

The assessment should consider the key fraud risks faced across your organisation and be updated regularly to account for changes in working practices and business environments. It should also incorporate specialist expertise, data analysis and engagement from key stakeholders.

The fraud risk assessment provides an indication of risk exposure for each area or activity of your organisation and should then be used to drive additional fraud risk management activities.

You’ll need to put in place an overarching anti-fraud strategy – including a dedicated fraud response plan, which should be reviewed on an ongoing basis to ensure it remains up to date. This should be informed by the risk assessment process, supported by detailed policies and procedures covering the key risk areas, and aligned to corporate /cultural values.

• “Promoting an appropriate corporate culture and corporate values”.

Having the right policies and procedures in place is only effective if they are understood and accepted by employees. Again, this requires the collective support of your senior stakeholders who must be seen to deliver a clear, consistent and unequivocal message.

Raising awareness of the risks and responsibilities relating to fraud can be a challenge. Which is why regular organisation-wide anti-fraud training should be provided – including tailored training for high-risk positions, such as HR, finance, procurement, etc.

Your employees’ understanding of key anti-fraud policy requirements and their attitude towards fraud risk can be assessed by performing fraud-culture surveys. The outputs from which should be acted upon to further strengthen the culture and amend the approach taken accordingly.
 

• “Ensuring appropriate controls are in place and operating effectively”.

Using the results from the risk assessment, the next step is to take the fraud risks that have been identified and implement anti-fraud controls that mitigate each risk.

You can also build the risk assessment results into the Internal Audit, or other second line assurance plans, to ensure appropriate coverage.

Where control gaps or weaknesses in the design of processes are identified, action plans should be put in place to identify and implement appropriate anti-fraud controls.

If no design weaknesses are identified, then you can test the operational effectiveness of the key controls and processes to evaluate their ability to address each fraud risk.

Consider the use of targeted data analytics via machine learning or traditional rules-based analysis. This is a powerful tool in helping to identify and monitor correlations and risk areas which may warrant preventative action or investigation.

What next?

It can take time for internal teams to get to grips with any new legislation and when it comes to fraud protection solutions, one size does not fit all.

Having investigated some of the most complex and high-profile frauds of recent times, we’re able to bring an invaluable ‘lessons learned’ perspective to proactive fraud-risk management. If you would like to discuss any of the issues raised in this blog please don’t hesitate to get in contact.

Among other things, the Deloitte team offers:  

• Enterprise-wide fraud risk assessments
• Design and implementation fraud response plans
• Fraud culture surveys
• Training and awareness
• Targeted fraud risk audits
• Anti-fraud monitoring
• Anti-fraud framework capability and maturity assessment