The article below was originally published on Financial Director.
Thanks to the fast-paced international nature of the modern business world, organisations face increasing pressure to identify efficiencies and streamline operations to protect their bottom line. Equally, the rapid spread of information means that companies have to be proactive in ensuring focus is given to reputation management, creating an ethical environment, and complying with the evolving regulatory landscape. The fight against complacency in compliance and legal functions is more important than ever when it comes to managing these risks.
Several high-profile and large-scale corporate fraud cases have made headlines in recent months, catalyzing debate as to who is responsible for preventing fraud, and why it hasn’t been detected. Is it the responsibility of statutory auditors, internal audit and compliance teams, or company boards to ensure prevention and detection mechanisms are able to deal with potential threats before it is too late, and identify whether large-scale fraud has taken place?
Not as simple as it seems
It is a widely-held belief that the responsibility for detecting fraud lies with the external (statutory) auditor or internal audit teams, shown in recent cases where auditors have faced parliamentary enquiries in the UK and negligence claims in civil lawsuits worldwide.
This belief is rooted in a common misunderstanding of the actual role of both internal and external auditors. The focus of the external auditor is to interrogate the presentation of an organisation’s financial statements, to verify that they are aligned with the internal records and accounting data of that company, and to provide an opinion for external stakeholders that the accounts are presented without material error.
Alongside this, the primary focus of an internal audit is to assess the design and effectiveness of controls in a company, and to provide assurance to the management team that the controls in place are both designed properly and functioning effectively.
In both cases, it is important that a level of professional skepticism is applied by auditors. This can be challenging, as the detailed work of an external audit is often carried out by junior members of staff without the experience to identify areas which, to a more experienced auditor or finance professional, would indicate a red flag. As a result, fraudulent activity can go undetected. Equally, as external auditors only usually test the most material balances, they may not identify smaller instances of fraud if there is no evidence of material misstatement.
In cases where the perpetrators of fraud are more senior management, the auditor may be intentionally deceived through the provision of misleading or manipulated information. There is an argument that it is beyond the responsibility of the auditor to challenge the veracity of the information supplied beyond carrying out standard checks, for example testing the completeness of the data. If a company or employee deliberately attempts to deceive auditors, this may not be detected, given the deep and broad understanding of the business that senior management are likely to have.
Building an anti-fraud ethos
Whilst few would dispute that auditors should escalate and fully investigate any suspicions of fraud or obvious ‘red flags’, the ultimate responsibility for preventing and detecting fraud rests with an organisation’s management and staff. The only sure-fire way a company can be certain it is properly addressing fraud risks is to put fraud risk assessment and response on the board’s agenda. In the modern era of heightened public awareness and instant news, complacency is not a luxury companies can afford. Instead, they must take a proactive approach to mitigating fraud risk.
Certain industries have taken the lead in this, defining and framing best practice. Notably, in the financial services sector, the FCA has outlined the importance of fostering a strong organisational culture and being proactive in managing the ethical aspect of compliance risk. The introduction of the Senior Managers and Certification Regime (SM&CR), which aims to promote a culture where senior executives take responsibility for identifying and preventing risks, is one good example of this.
Too often, compliance is treated as a ‘tick-box’ exercise – following business protocols, checking against lists of criteria and assuming that the job is complete. But this approach does not go far enough. Companies must not only consider the type of transactions or records, but also test their substance on an ongoing basis, querying transactions and underlying supporting documentation to be comfortable that they make sense.
To tackle these issues properly, senior management and boards have to implement company-wide processes and procedures which proactively assess fraud-specific risks. A proactive approach to detecting fraud requires deploying several complementary tools, one of which is data analytics. By continually analysing and monitoring internal data sets, companies can generate a clearer picture of their relationships with third parties and identify patterns in fund flows, as well as any pattern changes which could pose a potential fraud risk. The most effective fraud prevention programs will also consider mechanisms that could be put in place to bypass structured controls and allow fraudulent activity to occur. Internal audit departments can play an important role here, and the development of their function to take on greater involvement should be encouraged.
Furthermore, organisations are likely to be better at identifying suspicious activity if they consider where information could be manipulated or disguised, and how company assets might be embezzled, effectively stopping fraud before it causes irreparable damage.
Although it is essential that organisations take these measures, they will only be as effective as the weakest link in any system – usually, their employees. Therefore, boards must create and promote an environment that transcends mere compliance, empowering employees across the whole business to ask questions and get answers that add up. Fraud is most common in the mid- to lower-level tiers of business operations, and as such, those on the ground must be just as aware of both the impact of fraud and the role they play in helping to detect it.
Clearly, the tools and tactics are available for companies to tackle fraud risks, but the key to their successful implementation is the combination of a deep-rooted culture of doing the right thing, with specific strategies for detecting and preventing fraud. It is vital that this is done proactively, and as part of a holistic and evolving process which can be moulded to face the challenges thrown up by the modern business environment.