Are you ready for stricter fraud regulation? | Deloitte UK has been saved
Limited functionality available
A recent government white paper warns of imminent changes in the way your company prevents, detects and reports fraud.
Here, in plain English, is what it says – and what you’ll need to do about it.
It had to happen. After several high-profile corporate failures prompted Sir John Kingman’s independent review of the Financial Reporting Council and Sir Donald Brydon’s review of the quality and effectiveness of audit, the government has responded with a package of measures aimed at improving the UK’s audit, corporate reporting and corporate governance systems.
These measures are outlined in the Department for Business, Energy & Industrial Strategy’s White Paper ‘Restoring trust in audit and corporate governance’. They are likely to form part of stronger regulation (nicknamed ‘UK SOX - Sarbanes Oxley’ after the United States’ Sarbanes-Oxley Act), improving the prevention, detection and reporting of fraud.
Crucially, they will change how UK companies operate.
The White Paper talks about the “introduction of stronger regulation, possibly adopting elements of the regime that applies in the US under the Sarbanes-Oxley Act 2002 (SOX)”.
It makes four proposals likely to form the basis of future regulatory requirements:
Think of the White Paper as a polite forewarning of what is to come, so that you are forearmed when the regulation arrives. Which means it’s time to get in touch with your inner scout and ‘be prepared’.
To that end, we believe it helps to have a clear ‘IDIA’ of what needs doing. This badly spelt but memorable acronym stands for: Improve, Design, Implement and Assess.
Follow these four imperatives – as set out in the diagram below – and you’ll have the technology, processes and people ready to meet future regulatory demands.
Improve, Design, Implement and Assess (IDIA)
4 practical steps to maintaining strong corporate controls and procedures
Fraud follows opportunity and attacks weakness. Know where you are vulnerable and how to take control.
Using the words of the White Paper, let’s take each point in turn and expand on that IDIA…
This is all about management taking responsibility. The importance of taking a proactive top-down approach to improving the protection of your organisation against fraud risk and preparing for incoming regulatory requirements.
It goes beyond compliance. It’s also about focusing on good governance, sensible business practice and fostering the right culture to prevent loss and reputational damage.
It will require every organisation to take a risk-based approach: reducing and managing fraud risks by ensuring that robust processes and controls are implemented.
Typically, the first step in managing fraud risk should be an enterprise-wide fraud risk assessment.
The assessment should consider the key fraud risks faced across your organisation and be updated regularly to account for changes in working practices and business environments. It should also incorporate specialist expertise, data analysis and engagement from key stakeholders.
The fraud risk assessment provides an indication of risk exposure for each area or activity of your organisation and should then be used to drive additional fraud risk management activities.
You’ll need to put in place an overarching anti-fraud strategy – including a dedicated fraud response plan, which should be reviewed on an ongoing basis to ensure it remains up to date. This should be informed by the risk assessment process, supported by detailed policies and procedures covering the key risk areas, and aligned to corporate /cultural values.
Having the right policies and procedures in place is only effective if they are understood and accepted by employees. Again, this requires the collective support of your senior stakeholders who must be seen to deliver a clear, consistent and unequivocal message.
Raising awareness of the risks and responsibilities relating to fraud can be a challenge. Which is why regular organisation-wide anti-fraud training should be provided – including tailored training for high-risk positions, such as HR, finance, procurement, etc.
Your employees’ understanding of key anti-fraud policy requirements and their attitude towards fraud risk can be assessed by performing fraud-culture surveys. The outputs from which should be acted upon to further strengthen the culture and amend the approach taken accordingly.
Using the results from the risk assessment, the next step is to take the fraud risks that have been identified and implement anti-fraud controls that mitigate each risk.
You can also build the risk assessment results into the Internal Audit, or other second line assurance plans, to ensure appropriate coverage.
Where control gaps or weaknesses in the design of processes are identified, action plans should be put in place to identify and implement appropriate anti-fraud controls.
If no design weaknesses are identified, then you can test the operational effectiveness of the key controls and processes to evaluate their ability to address each fraud risk.
Consider the use of targeted data analytics via machine learning or traditional rules-based analysis. This is a powerful tool in helping to identify and monitor correlations and risk areas which may warrant preventative action or investigation.
It can take time for internal teams to get to grips with any new legislation and when it comes to fraud protection solutions, one size does not fit all.
Having investigated some of the most complex and high-profile frauds of recent times, we’re able to bring an invaluable ‘lessons learned’ perspective to proactive fraud-risk management. If you would like to discuss any of the issues raised in this blog please don’t hesitate to get in contact.
Among other things, the Deloitte team offers:
James is a Partner in our Risk Advisory practice with over 16 years’ experience advising organisations in the UK and overseas on a wide range of internal audit, risk management, controls, anti-fraud, governance and compliance related matters. He has held senior roles at a range of organisations, helping to drive transformational change, working closely with Board and Exec-level stakeholders. Increasingly, James is called upon to improve the efficiency and effectiveness of internal audit, risk management and wider methods of assurance within organisations through the implementation of appropriate technologies, including the latest bespoke cloud solutions. The rapid deployment of such solutions has helped optimise the approach taken by risk and control functions, raising engagement with the business, whilst lowering cost. Within Deloitte James leads our UK Internal Audit and Controls Consumer business, working closely with organisation across the transport, hospitality and services sectors, as well as retailers and consumer product brands. James also sits on the Pension Governance Committee for the UK firm, providing input to the governance and risk management arrangements around Deloitte’s defined contribution pension scheme and scrutinising and challenging the representations made by the external pension provider.
Julian specialises in forensic advisory and conducting financial crime investigations. He has led and advised on a number of cases involving AML, corruption, sanctions, fraud and accounting irregularities. He is experienced in dealing with retained counsel, client management, other third parties and prosecutors and regulators. His particular focus and expertise is in the financial services sector. He has also led corruption and fraud work in the oil and gas, automotive and technology sectors.