The article below was originally published on Compliance Matters.
In today’s fast-paced, multinational and just-in time business environment, companies are under increasing pressure to find efficiencies and streamline their businesses to enhance the bottom line. Equally, the speed of information flows to the public and other stakeholders means that organisations need to be on the front foot to ensure they are giving enough focus to protecting their reputation, fostering an ethical environment and complying with an ever-changing regulatory framework. Compliance and legal functions are becoming ever more aware that there is no room for complacency when it comes to managing risks.
With a spate of large-scale corporate fraud cases hitting the headlines in recent months, public debate has been sparked as to who is responsible for stopping the fraudsters in their tracks. Is it the responsibility of the statutory auditors, the internal audit team, the compliance team in house, or the board of the company to ensure adequate prevention and detection mechanisms are in place to deal with potential threats before it is too late and to identify whether large scale fraud has taken place?
It is a common perception that it is up to either the internal or external auditors to identify fraud in an organisation. While this is without doubt something that should be on the radar of auditors, the actual role of both external and internal audits is frequently misunderstood.
The focus of the external auditor is to provide assurance to stakeholders of the business, including shareholders, employees, financiers or customers, allowing them to make decisions about their engagement with the company. An external auditor’s approach should focus on the most significant, or material aspects which are likely to affect this decision making.
Complementary to this, internal audit’s primary focus is on assessing the design and effectiveness of internal controls in a company, to provide assurance to the management of the company that the controls have been designed effectively and are functioning as planned.
In undertaking either of these important responsibilities, it is vital that both internal and external auditors retain a level of professional skepticism which allows them to think beyond the numbers or the process, and challenge the substance and the sense of what they are seeing. In some of the recent high-profile fraud cases, there is certainly a question to be asked as to whether these parties truly exercised the appropriate levels of scepticism and properly followed up on any suspicions which may have been identified during their work.
There is also a question of deliberate deception. Management and employees of a company have access to a lot more information and knowledge about what is really happening than the snapshot provided to either internal or external auditors. If they willingly deceive the checkers, then an expected level of professional skepticism may not detect this. How far ought they go? Given that audit firms are also trying to find their own efficiencies and be competitive, the detailed work is frequently conducted by more junior staff who may not have the experience to identify potential issues, or the confidence to challenge management. These are all reasons why more severe issues may go unidentified or unreported.
Driving an anti-fraud culture
The only real way that an organisation can be comfortable that they are properly addressing the fraud risks which are specific to that organisation, is to put fraud risk assessment and response on the agenda at the highest level, and properly disseminate this down. Certain industries have been leaders in defining and framing best practice – for example in the financial services sector, the FCA has set out the importance of creating a strong organisational culture and being proactive in managing the ethical component of compliance risk. The introduction of the Senior Managers and Certification Regime (SM&CR), which came into effect three years ago is a good example of this. The SM&CR sets minimum standards for the behavior of financial services staff and aims to promote a culture where senior executives take responsibility for identifying where any harm to the business might occur, and take action to prevent it – including fraudulent activity. These principles can be applied across all sectors.
This cultural element can define the way that employees of an organisation approach the mindset of tackling fraud and can be used to define specific processes and controls which directly address specific industry and organisation fraud risks. By building a culture of compliance that goes beyond ticking boxes and meeting regulatory requirements, senior management can give employees the power and drive to question suspicious activity and seek the truth behind transactions. Fraud can occur at all levels of a business, so it is vital that these values are spread across the whole organisation, with junior members of the team feeling just as empowered to raise concerns as the CEO.
From culture to practice
Even when there is a strong tone at the top, this does not take away the requirement to translate culture into consideration of detailed processes for fraud prevention and proactive monitoring. There are many tools in the box for applying the cultural element to specific and tangible responsibilities, from targeted data analytics to audits and due diligence of business touchpoints. The key to successful fraud risk programs is the marrying up of a deep routed culture of doing the right thing, with specific roles, responsibilities and actions to prevent and detect fraud on the front line. This needs to be a holistic and evolving process, which changes its dynamic with the ever changing environment.
Read the article here.